After what seems like the longest wait for iOS 14.5, the iPhone update has finally arrived. If you’ve already installed it, along with watchOS 7.4, you’ll likely have already enabled the unlock with Apple Watch feature. This was introduced to overcome the fact that the latest iPhone models, without Touch ID, could not be unlocked using Face ID if the user was wearing a mask. It all sounds great, in theory, that now you can unlock your iPhone with a mask on as long as you are also wearing your watch. In practice, you should consider the security and privacy implications before enabling the option, as an eight-year-old girl demonstrated.
As a long-standing Android user, specifically the Samsung Galaxy range, before switching to an iPhone 12 Pro Max as my primary smartphone, this kind of unlock functionality is hardly new to me. I had the option to use Google Smart Unlock, which could keep my phone unlocked if it detected I was carrying the thing, if I was in a specified trusted location or using a trusted device like my smartwatch. I didn’t use any of them because they were all flawed in terms of security: devices could be 300 feet away, anyone in that location could access my phone, and anyone carrying it could do the same.
Apple has gone for a more limited approach to this smart unlocking of the iPhone, but it still remains flawed, as Jake Moore, cybersecurity specialist at ESET, found out.
“After setting up iOS 14.5,” Moore told me, “I asked my eight-year-old daughter to test the security on the basis that kids make the best hackers.” She put on a face mask and immediately gained access to the iPhone with an upward swipe. “I was notified on my watch that it was unlocked, and I had the option of locking it, but this could easily be missed and gives threat actors yet another tool in their kit to exploit,” Moore warns.
I tested this myself, with the help of my partner, who was masked up in the kitchen with my iPhone. First, I went to the living room at the opposite end of the house, and the iPhone unlocked. Then I tried it while I was upstairs, in my office at the other side of the house to the kitchen, and it worked. I can confirm that my partner looks nothing like me, even with the mask on. Indeed, Apple support on the subject states that “the feature doesn’t use Face ID to recognize and authenticate you,” and when you enable the feature, you are reminded it will unlock when “any face with a mask is detected while your watch is unlocked and nearby.”
There are, of course, a whole host of security safeguards in place. So, your watch needs to have a passcode enabled as well as the wrist detection feature. When your iPhone is unlocked, a notification pops up on the Apple Watch, along with a haptic buzz, to let you know. This notification also includes a ‘Lock iPhone’ button which will do what it says on the tin if you didn’t access the device. However, the haptic buzz failed me on one occasion during my own testing; if it did happen, I certainly didn’t feel it. This reinforces the concern that you could easily miss the notification, and that could leave someone else with access to your device and the data on it. The implications for someone in an abusive relationship are easy to grasp.
One thing that is worth pointing out is that if you do use the lock iPhone button on your Apple Watch, this effectively disables the unlock feature until your passcode is entered. This would prevent someone from being able to get access immediately and is a welcome protection.
So, will I be using this functionality? Nope, sorry, not worth the risk, no matter how small that risk might be. Your mileage may well vary, and only you can make that call. But being aware that anything, as Moore says, “bypasses the strongest form of security by nature weakens it,” should guide your decision making. Knowing the limitations and implications of such a function should always feature in your risk analysis.
“The battle between convenience and security is a long-drawn-out battle between users and the security industry,” Moore continues. “Allowing users to open a device which isn’t yours is a serious blow to security and should only be used if it’s absolutely vital and poses less of a risk than typing in your passcode in a public place.”
For me, personally, typing in a PIN or passcode on my iPhone while wearing a mask is annoying. I’d much rather have Touch ID on the power button, to be honest. However, it only takes seconds to do so, and that’s not going to ruin my day. My Apple Watch already helps in this regard, with an app (Bring) that lets me make a shopping list on my phone or desktop and then access on my wrist in the supermarket with no iPhone unlocking involved, and ditto for music playback with Spotify. You still need to unlock your iPhone by a more secure means to use Apple Pay, and the unlock doesn’t extend to opening apps that require Face ID or a passcode, anyway. Of course, I already use Apple Pay on my watch…
Apple has put all the steps in place that it reasonably can to make this as secure as possible. Apart, that is, from limiting the range between watch and phone, so it only works within the distance between your wrist and your face, for example. Of course, if this was an easy thing to accomplish, I suspect Apple would have implemented that.
The Apple support page for unlocking your iPhone with an Apple Watch states that both Wi-Fi and Bluetooth need to be enabled for the feature to work.
I have reached out to Apple for comment and will update this story if I hear back.