Unlock iPhone with Watch? Regret for Apple's 'security retreat'

In iOS 14.5, Apple will allow corporate users wearing masks to unlock iPhones with an Apple Watch (Watch OS 7.4). However, this is a classic example of a trade-off between convenience and security. If corporate users don't offer to disable this feature, there can be a big flaw in corporate security.

In short, this feature will make it easier for industrial spies and cybercriminals to steal corporate intellectual property. It is also the reason for this concern that the possibility of such key information being created, stored, and transmitted on smartphones with Corona 19 is even greater than in 2019.

Apple explained that this new feature is only used to unlock the phone (which is very bad by itself). Apple Card, Apple Pay, as well as third-party apps that use Face ID authentication, such as banks and securities, cannot bypass the authentication process with the Apple Watch. This explanation immediately shows what part of Apple's security has been sacrificed by this move.

Let's take a closer look at the principles and background of Apple's new features. First off, in terms of security, this is terrible. It will be a major headache for corporate IT by jeopardizing highly sensitive corporate data.

On the other hand, it is a very impressive improvement in terms of convenience. First, in the corona19 pandemic, the process of unlocking the phone starts with recognizing that someone is wearing a mask. Once the mask is recognized, the phone is unlocked, assuming there is an already unlocked Apple Watch nearby. What's actually going on behind the scenes is replacing the PIN entry on the phone with the one on the watch. This can be very useful.

How helpful is this approach? How much more convenient would it be to be precise? It is clear that this feature is a good idea. However, I can't agree that it is more useful than the other methods. For example, many users enter their iPhone PIN several times a day. Most iPhone users are so familiar with the operation that it takes less than a second. I'm not sure if it's really worth taking this risk from a security standpoint to save at most two seconds at a time.

Apple Watch-iPhone authentication is similar to Unix's concept of a 'trusted host'. In other words, if the user has already been authenticated by the watch, it is a logical flow that trusts other tasks using the watch. However, from a security standpoint, this convenience can create a more favorable environment for criminals. Suppose someone stole an employee's cell phone and watch. While sleeping on the subway. Maybe you can grab a knife and take it yourself.

Under these circumstances, even Apple's noisy security measures are difficult to work. First of all, the biggest risk is that you can steal your PIN over your shoulder. Using a longer PIN will help prevent this theft, but the Apple Watch still supports up to 4 digits. Relatively easier. That means all of Apple's security can be breached with four digits.

Now, the criminal can wear a mask and use the watch's four-digit pin to unlock the phone. Now, what information will this criminal get? In fact, it's very massive. All emails, all texts, as well as everything you recorded in the Notes app, all photos, all voicemails, all recently called numbers, location information for locations you moved, and all places you have recently driven and visited. You cannot sell this information right away or turn it into money. But an industrial spy would be like discovering a treasure accessing sensitive information.

There is another reason for criminals to steal phones and watches together. Apple has put a small safeguard in the Apple Watch that allows users to detect and respond when someone steals a user's phone and unlocks it. For example, if your iPhone is unlocked while you're away from a coffee shop for a while, you'll get a notification that your Apple Watch has unlocked. Here, the user can disable the mobile phone by locking it back through the watch. Of course, this is only possible if the user immediately checks and responds to this message on the Apple Watch.

In the end, even considering this situation, the temptation to steal all smart devices is even greater. It's not easy to make an excuse to strip a watch from a user's wrist, but companies won't want to create this situation in any way. If companies are targeted by cybercriminals and industrial spies, and the information they are trying to steal is worth millions of dollars, stealing both the iPhone and the Apple Watch could be a relatively simple way to hurt the business.

MeanwhileAccording to 9to5mac, Apple plans to support more control when the Apple Watch is connected to a Mac than when it is connected to an iPhone. The article mentioned using the Apple Watch on a Mac to access control of system preferences or use it for various authentication tasks, such as making Apple Pay payments. In terms of security, I'm very happy that Apple cares more about the iPhone than the Mac. But still not enough.

Post a Comment