It’s pretty easy to remove a Pixel Watch 2 and still keep phone unlock active
I doubt this is a very serious threat, but with the introduction recently (for me, last few months have been rough, December is recent when you’ve had major surgery), of the Pixel Watch 2 being able to keep your phone unlocked via Watch Unlock, it seemed like as good a time as any to try attacking it for vulnerabilities. As a note, I may be absurdly late to the game, this is just something I discovered playing around.
Basically with the Watch Unlock as long as the watch is on your wrist and you’ve enabled it, your phone can be unlocked by your watch. If your watch is removed from your wrist you will have to enter the code again.
But what if someone could take your watch and phone and keep it unlocked?
Trim your nails before trying this. Don’t ask me why. Defeating the on-body sensor portion of the Pixel Watch 2 and transferring it to another person without the lock triggering is as easy as sticking a finger or two under the watch body, so there’s skin contact and a pulse, and snapping the band off. As long as you’re holding the watch you can now take the phone and do whatever you want with it until the unlock expires.
I was able to successfully take the watch off of myself and place it on another arm with no problem as long as I kept my fingers on the back of the watch until it was perfectly in position.
The only people who would be particularly impacted by this I would suspect are the ones who don’t have reasonable security enabled on their payment platforms (Venmo, PayPal, etc…) and this requires an attacker to notice your Watch Unlock is active and work to exploit it by physically removing your watch and obtaining your phone.
Or the police deciding they wanted to claim the phone was unlocked and permission given. Either way it’s a security vulnerability you should be aware of, although I would say it’s a fairly unlikely one.
If you want to practice it – set watch unlock on, loosen the strap a bit unless you are doing this on someone else (where you can use your other hand to loosen the strap,) stick two fingers between the wrist and the watch face, pop the strap and you can hold it in your hand or attach to your arm / the other arm. The re-attachment I managed to lose watch unlock a couple of times and kept it a couple of others so if you’re really working on stealing someone’s phone I’d keep it on someone’s fingers.
If you’re wanting the convenience of Watch Unlock without the very slight risk of this happening, disable it when you’re out.
Once again, extremely unlikely attack scenario, but fun to practice.
