Apple Watch variants running on older WatchOS versions have been flagged by the government of India for having multiple vulnerabilities. The vulnerabilities have been given a high severity rating by the Computer Emergency Response Team (CERT-In), and is can allow attackers to run arbitrary code and bypass security restrictions on any targered Apple Watch running WatchOS 8.6 or older.
The government has sent out a public service announcement, suggesting Apple Watch users to update to the latest WatchOS version 8.7. The vulnerability flagged by CERT-In has also been listed on the Apple support website. CERT-In, in a vulnerability note, has said that Apple Watch models running on an older version of WatchOS are affected by multiple vulnerabilities. The agency has said that the vulnerabilities could allow an attacker to execute arbitrary code and bypass Apple’s security restrictions on targeted smartwatches.
The flaws exist due to an issue in something called the AppleAVD component, which is an authorisation issue. CERT-In has also mentioned other reasons for these vulnerabilities to exist in Apple Watch models, which include “type confusion in Multi-touch component, Multiple out-of-bounds write and memory corruption in GPU Drivers component, out-of-bound read in Kernel component, and memory initialisation in libxml2 component." According to the CERT-In notification, a remote attacker could exploit these vulnerabilities by sending a specially-crafted request to the target device.
Apple has also acknowledged the vulnerability and has posted about it on its support website. The note says that successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code and bypass the security on Apple Watches running on a WatchOS version that is older than WatchOS 8.7.