Apple Watch Ultra 2 Hacked

> I don't know what the catalyst for this was, but a lot of 20 years olds and younger seem to use the word hacked so casually.

It is a mechanism of shifting responsibility. If your password is "1234" and you gave it away to a totally legit MS support center employee that called you recently because MS has detected that your iPhone has a virus, then it is on you. But if North Korean hackers compromised your watch via elaborate hacking campaign to mine bitcoin on it, then it is "not your fault".

If the original account is to be believed, they did not know the owner’s passcode/PIN. The attackers gained remote access to a device without the passcode/PIN. This suggests it was not phishing.

It sounds like a legitimate usage of the word “hacked” to me. Maybe not the most critical vulnerability because they did not gain full access, but they managed to gain some level of control of the owner’s watch without their permission, and it sounds like the reason was not that they left it lying around unlocked (to be clear it sounds like they got control because the watch was unlocked in the owner’s wrist, but they were accessing it wirelessly- sounds like an issue with Apple’s security model that can be fixed).

There's this site that provides news for these "hackers" and I'm not convinced any of them actually do any hacking.

My Skype account was hacked many years ago. It started with me getting an email about some credits being added (from my credit card that was in the system).

When I logged onto Skype, I had a new name, and a new contact, both of which were Ivan something. I immediately started chatting with Ivan, who told me that there was a weakness in the Skype login security, which he tried to exploit.

I changed my password to another Medium to Strong password, and a few minutes later my name was again changed to “Anders xoxo Hafreager”, and a message that he had hacked me again.

I still don’t know what he did or how he did it.

So true. Normies be using security questions like “What was your fist dog called?” while posting about their first dog’s name in public #insta while complaining about being targeted by a 1337 h4x0r.

Hacking is largely used to mean the breaching of a system by some unauthorized actor, and why shouldn't it? Word meanings change over time and this one got broader.

That said, phishing is a form of hacking the individual so even by a strict definition it still works.

While I agree with you in general, the behavior described in the article should not be observable without an actual hack.

Not sure if catalyst, but if the crowd learns something it is corpos and governments telling almost always the same story of getting hacked, cyberattacked, with the worst of criminal energy, even if its the most simple letting unpatched (more 1000days then 0days) software run or pretty much unsecured systems out open in the wild.. it is the common excuse everywhere for not understanding of an admitted for most too complex tech world.

Anecdotal, but 17 years ago it was also common to say "my runescape got hacked!" when in fact you typed your password on some runes-cape.freewebs.biz :)

Perhaps there is more to hack? At least when I was 20 years old, the only thing to be hacked was the dial-phone, a paper phonebook and perhaps a fax. Social media didn't exist.

Having so many accounts where some stuff might (or might not) be important, folks get very sensitive to being "hacked". Or in other words, having a stranger break in and rummage through their underwear.

At some point the same happend in computer games. Suddently every "cheater" or "abuser" became a "hacker".

Different times.

Someone posted a video and either the screen is having some ghost touches or the watch is actually getting brute forced

phishing campaign is a method of hacking

Hack in popular tongue has always meant authentication breaches in general, the method is not important. It's been this way for as long as internet has been a household word.

I mean, there is Apple Watch Mirroring, which does allow remote control of an Apple Watch for accessibility purposes. If they were able to somehow exploit that, I would consider it hacking.

I sort of hate how this thread immediately rallied around “must be crazy people hallucinating” and I hope Apple takes the reports a bit more seriously & investigates.

Edit: I do agree that passwords guessed or phished doesn’t count in my mind as hacking.

If you were genuinely remotely hacking a smartwatch, you’d be executing background processes to exfiltrate data entirely invisible to the user, not doing some bizarre remote desktop thing randomly tapping around on apps. The claim doesn’t pass the sniff test irrespective of the manufacturer.

Exactly. This comment section really is a display of the Apple bias on HN.

I don't doubt that this might be nothing, but seeing all these commenters completely dismissing it is rather odd.

Hopefully Apple is less dismissive of this potential security issue.

It’s because a lot of people on HN have dealt with bug reports from users that were clearly fabulations after investigating thoroughly

Many commenters might be confident because they are familiar with the device, its security and perhaps even development for it.

If this is a software (or somehow even a hardware) issue, than it's still not positive for Apple.

From experience, you really can't just take user reports at face value. There's almost always something there, but it may or may not be what the user thinks it is.

So it's a good idea to apply Occam's razor.

Digitizer/ghost touch is probably the simplest explanation.

The only thing the hacked/pwned idea has going for it is the "We are in control" message, which is still a bit marginal if the watch really was hacked. (None of the other posts mention this and why would a hacker type that message in? Could be because it's a practical joke or maybe part of a phishing attack, but those are tenuous and nothing else mentioned supports those.)

I would have said the same thing if it wasn't for the recording in the forums which shows it pretty clearly as "random touches".

If you have access to control the touch interface or to type a message on the screen you already have full control to the device. Look at the video, the input is so random, it's a software bug.

iOS developers who have done work for watchOS know that, during development, you are barely able to connect an Apple Watch to Xcode. It is flaky as hell. So thinking that someone can remotely control an Apple Watch is a bit hard to believe.

Ghost touches and typing "we are in control" with predictive text, sounds more plausible but still raises an eyebrow.

I had been locked out of iPhone in my pocket in hot summers due to presumably ghost touches. Maybe people know it happens with Apple products.

let's imagine that that's the case. imagine that you are the attacker that figured that out, what are you going to do? start attacking random people with random clicks on their screen or keep it in private until you figure out details how to make it useful?

thats why this sound like some kind of hardware malfunction (or some substance on touch screen - I personally experienced ghost touches on my phone from dirty screen) or it's some kind of prank by kids using some flipper and previously authorized device or something similar

Apple Watch does have a remote control feature, intended for controlling the watch from your phone, as part of the accessibility options. It's certainly technically possible that this feature is being abused to get access to data that would otherwise be locked down by Apple's strict sandbox post-exploitation.

Or, more likely, it's some kind of shitty prank by someone nearby to the users.

> First of all, why would anyone even care about you enough to want to steal whatever health data is available? Is there any particularly sensitive personal info stored there?

This is a strange argument. Of course there can be sensitive data there. Photos, (i)Messages, eMail, calendar events, addressbook, health data, voice recordings, location data. The device is password-protected for a reason.

It is also usually connected to a paired iPhone and to the Internet. You might be able to do some shady stuff with the phone using private APIs.

> .. I wish there was some sort of black box mechanism for logging certain events in such a way that the device itself can't tamper with it..

This is called an append-only log. It can be built in many ways. Which way is suitable largely depends on the security requirements.

My personal favorite kind of append-only logging is transparency logging. If you'd like to learn more you can check out e.g. sigsum.org, an open-source project my colleagues and I have been working on for several years now.

I just looked through what Health stores and it has fields for your lab test results and sexual history. Seems fairly sensitive?

I can't imagine a hardware bug could manifest on the same date.