Apple Watch models running watchOS versions older than 8.7 have been flagged by the government of India with multiple vulnerabilities. These vulnerabilities, which have been given a high severity rating, could allow attackers to run arbitrary code and bypass security restrictions on any targeted Apple Watch running watchOS 8.6 and older versions. As a solution, the government suggests the Apple Watch owners to apply necessary patches by updating to the latest available version — watchOS 8.7. Apple has also listed the vulnerability on its support website.
Indian Computer Emergency Response Team (CERT-in) said in a vulnerability note that the Apple Watch models running an older version of watchOS than 8.7 are affected by multiple vulnerabilities. The nodal agency for cybersecurity has given it a severity rating of high. According to CERT-in, the vulnerabilities could allow an attacker to execute arbitrary code and bypass Apple’s security restrictions on the targeted smartwatch.
The detected vulnerabilities exist due to a buffer overflow in AppleAVD component, an authorisation issue in AppleMobilityFileIntegrity component, out-of-bounds write in Audio, ICU, and WebKit component. CERT-in has also mentioned other reasons for these vulnerabilities to exist in Apple Watch models. These include, “type confusion in Multi-touch component, Multiple out-of-bounds write and memory corruption in GPU Drivers component, out-of-bounds read in Kernel component, and memory initialisation in libxml2 component.”
According to CERT-in vulnerability notification, a remote attacker could exploit the above-mentioned vulnerabilities by sending a specially-crafted request to the target device.
The vulnerability note also added that the successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code and bypass the security restriction on an Apple Watch running watchOS version older than 8.7. The government has asked Apple Watch users to apply appropriate patches that are included in the watchOS 8.7 update, according to the Apple Security Updates website.