The basic security measure on the Apple Watch makes a lot of sense. When you put the watch on, you enter a passcode (or unlock your iPhone) and it senses contact with your wrist. As long as you keep the device on and maintain that contact, the watch assumes that it’s still safe with its trusted BFF. But if you take the watch off, it starts demanding the passcode again. It’s simple and smart, but there’s a problem.
As iDownloadBlog discovered, Apple Watches have a bug that allows someone (like a thief, for example) to do a hard reset on a unit without knowing its passcode (see video below). Pressing and holding the Apple Watch’s Contacts button initiates a sequence that includes the option to erase everything on the watch, including settings like the passcode. And you don’t need the passcode to do it. Once the unit has been wiped, it’s essentially brand new again, and ready to be paired with a new iPhone.
Apple has made progress closing this type of loophole on iPhones themselves, which has successfully reduced theft rates. Apple introduced Activation Lock in 2013 as part of iOS 7, and the feature is turned on by default in iOS 8. Activation Lock demands the owner’s Apple ID and password to turn Find My iPhone off, no matter how many times someone hard resets a device. It also asks for the Apple ID and password if the owner remotely wipes the device.
The Apple Watch is in its early days, so it’s not surprising that there are issues Apple needs to work out. But given that this is a particular security area where Apple has done a lot of mobile development, it seems like a strange and problematic oversight. The company needs to release a fix quickly.