Apple has unveiled its long-awaited Apple Watch, which the company says will begin shipping in nine countries on April 24.
The price of the watch will run from $349 to as much as $10,000 for a high-end version that’s built with 18-karat gold alloys. A new Apple Watch App Store will provide software that runs on the devices, which have a promised average battery life of 18 hours.
Despite the so-called “smartwatch” sector still being nascent, many analysts expect to see Apple sell a relatively large number of the new devices. “There’s not a single killer app. It’s a collection of experiences to create a device that I think people will buy,” Patrick Moorhead, president of Moor Insights & Strategy.
But some outstanding questions center on whether the wearable devices will keep users’ data safe and secure, especially when people begin using their Apple Watch to make payments.
Here are eight security-related issues highlighted by information security experts:
1. Shakedown Imminent
Both for GPS and wireless connectivity – including downloading watch apps – Apple says the Apple Watch must be paired with an iPhone, and in particular, an iPhone 5 or newer, running at least iOS 8.2, which was released March 9. Pairing the Apple Watch with an iPhone also allows users to make payments with the watch via Apple Pay – so far, this feature is only available in the United States – or display a Passbook boarding pass.
Apple says the Apple Watch will pair with an iPhone via Wi-Fi – 802.11b/g – as well as Bluetooth 4.0.
Of course, it’s only a matter of time before enterprising researchers begin testing whether they can intercept – sniff – or spoof the wireless communications that flow between an Apple Watch and the iPhone to which it’s been paired. “Given the fact that it is a high-profile device – which will have wide adoption – you can bet security researchers and hackers alike will be poking and prodding the watch to find new vulnerabilities as well as take advantage of existing attack vectors, leveraging weaknesses in both Wi-Fi and Bluetooth,” says Ken Westin, senior security analyst for IT security vendor Tripwire.
2. Sniffing, Skimming, Apps
Indeed, there are known vulnerabilities associated with both Wi-Fi and Bluetooth, and related flaws could be found either in Apple’s related implementations, or via the third-party apps that are designed to run on, or work with, Apple Watch.
But for now, of course, it’s not clear whether Apple Watch might be susceptible to related attacks. “As to how vulnerable the design is, that will remain a mystery until the device is released and the full community of researchers has had a chance to review and sniff the traffic between the Apple devices as well as review the software development kits for the new device,” says Philip Lieberman, president of identity management software vendor Lieberman Software.
3. Location Tracking
Many manufacturers of wearable devices have so far failed to secure the data they collect, which leaves users open to having their data get intercepted. Alternately, individual devices might be “fingerprinted” based on the way they use Bluetooth or Wi-Fi.
“As the device is utilizing both, it will also be interesting to see how that data can be used to track individuals in physical spaces, as this has both security and privacy implications – not just from a malicious attackers perspective, but also overzealous marketing,” Tripwire’s Westin says. “The fact the Apple Watch also integrates third-party apps could also increase security and privacy concerns.”
4. Wireless Security Warnings
In general, security experts recommend disabling all wireless networking technologies when in untrusted environments. “I, for one, always have Wi-Fi and Bluetooth disabled on my phone when I travel outside my premises, both for battery life and security,” says Brett Fernicola, CISO of data security software vendor Stealthbits Technologies. But because such networking is required to support many Apple Watch features, users would have a disincentive to disable it.
5. Fraudster Watch
Could Apple Watch be worn by fraudsters? Apple says that after removing the watch, every time a user puts it on again, they must enter a code to unlock the payment functionality.
But some recent fraud reports have centered on thieves loading stolen card data into Apple Payon iPhones, and then making purchases. According to mobile payments and e-commerce strategy and advisory firm DROP Labs, up to 6 percent of all Apple Pay transactions have been fraudulent, compared with an average of less than 1 percent for U.S. credit card transactions.
Still, many fraud experts say the problem isn’t linked to hardware-level security problems, but, rather, poor back-end authentication practices by banks, which are failing to adequately verify cards when they get loaded onto an iPhone, in advance of Apple Pay purchases.
Gartner analyst Avivah Litan doesn’t expect Apple Watch, which can be used to make touchless payments when paired with an iPhone that uses Apple Pay, to alter that fraud situation. “I don’t think we will see any unique fraud issues with Apple Watch and Apple Pay, vs. iPhones and Apple Pay,” she tells Information Security Media Group. “It’s the same issues, I think, although the fraud-related information sent by an iWatch – vs. that sent by an iPhone – to an issuing bank may be less granular or rich.” Such information helps banks apply context-aware security to better identify and reject transactions – or Apple Pay accounts – that appear to be fraudulent.
6. Bank Buy-In
What’s not yet clear, however, is whether banks can resolve Apple Pay-related challenges to their liking. If not, Apple users may find fewer merchants and banks accepting Apple Pay. “Some banks have had a very negative reaction to Apple Pay fraud, and in the words of one banker, believe ‘Apple has thrown them under the bus’ and should take more responsibility for fraudulent enrollments, since they are all done through Apple accounts,” Litan says.
So fraud experts are waiting to see if the Apple Pay ecosystem might suffer a backlash from banks, potentially leading to an overhaul of how such systems work. For example, Litan says, a mobile payment provider – such as Apple – might assume responsibility for all transactions, including related fraud. “Either that, or the banks need to change the registration process on the mobile phones so that they totally own it and don’t split customer ownership with the mobile payment provider.” With either change, however, users would arguably benefit from a reduced risk of fraud.
7. Contactless Payment Upsides
Using Apple Pay via an iPhone or Apple Watch requires “contactless” – using near-field communications – POS terminals. They’re now widespread in Europe, but still being rolled out across the United States, driven, in part, by the October 2015 liability shift, in which any merchant or issuer that doesn’t support EMV takes responsibility for all fraudulent transactions. As those terminals arrive, they could also drive a reduction in payment-card fraud rates, financial services experts say, thanks in part to its use of tokenization, which substitutes a unique code in place of an actual card number or related data.
“These terminals will not only accept these new chip cards but will also include NFC, which means that they will already be programmed to accept Apple Pay,” says David Pollino, senior vice president and enterprise fraud prevention officer for Bank of the West. In addition, they will be using “an already established, new security system,” which will give banks more techniques for identifying and blocking fraud, regardless of whether those payments are made using an Apple Watch, iPhone or payment card.
8. Rogue NFC Terminals
Despite such security upsides, once an Apple Pay device, including Apple Watch, is unlocked, an attacker could potentially use it to make fraudulent purchases, warns Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security. “It’s a dangerous recipe, especially when you think that many retail stores have emitters fraudulently scanning credit cards,” he says. “They could run NFC terminals to slurp unauthorized payments.”