One week ago, Apple finally stopped selling the Apple Watch Series 3 in its online stores. Recent buyers, however, are not getting any security updates.
The product’s continued availability was puzzling given that Apple revealed in early June that the Apple Watch Series 3 would not support watchOS 9. Following that revelation nine months ago, Apple continued promoting and selling new Series 3 units for three months. Then on September 7, Apple quietly discontinued selling new Series 3 units while adding the Series 8 to its online stores. But then, for six additional months, Apple continued to sell refurbished Series 3 units.
Apple has released precisely zero security updates for the Series 3 since July 2022—the last watchOS 8 security update before watchOS 9’s release in September. On the surface, that might not seem too concerning. But taking a closer look, what Apple has done is a dangerous step backward for consumer safety.
Apple knowingly sold a product that is no longer getting security updates for eight straight months after its last security update. Moreover, Apple has knowingly left it vulnerable to at least two “actively exploited” (zero-day, in the wild) vulnerabilities for the past seven months while continuing it sell it to customers.
Let that sink in for a moment.
Lest there be any confusion, let’s break this down to make it clear what Apple has done, and what Apple can do to (at least partially) redeem itself.
In this article:
By all appearances, Apple has completely stopped releasing security updates for the Series 3. However, Apple could change this at any time.
Apple Watch Series 3 is the only model that cannot be upgraded from watchOS 8 to watchOS 9. Apple quietly revealed on June 6, 2022, during its Worldwide Developers Conference (WWDC) event, that the Series 3 would not be compatible with its upcoming watchOS 9. Apple nevertheless continued to promote and sell new Series 3 units for another three months, and then proceeded to sell refurbished units for an additional six months.
Not a single security update has been released for watchOS 8 or the Series 3 since July 2022 — not even to address two “actively exploited” vulnerabilities that Apple patched for macOS, iOS, and iPadOS in August, and later patched for watchOS 9.0 in September. Apple continued to sell the known-vulnerable Series 3 for seven months in the refurbished section of its online retail stores after the August patch cycle when the company neglected to patch the two actively exploited security vulnerabilities for it.
Specifically, the two actively exploited bugs are specifically CVE-2022-32893 (a WebKit vulnerability) and CVE-2022-32894 (a kernel vulnerability). Both were patched for macOS Monterey 12.5.1 and for iOS 15.6.1 and iPadOS 15.6.1, on August 17, 2022—the same day Apple released watchOS 8.7.1 which addressed zero “published CVE entries,” according to Apple. While Apple could have chosen to patch these urgently for watchOS 8.7.1 as well, Apple instead withheld these updates and only patched them later for watchOS 9. Thus, Apple knowingly left all Apple Watch users vulnerable for nearly a month until watchOS 9.0 was released, and Apple has left Apple Watch Series 3 users perpetually vulnerable to these two major, actively exploited vulnerabilities.
We have reached out to Apple numerous times over the course of several months, asking whether watchOS 8 will ever get security updates. Apple has continually ignored our requests for comment on this issue.
Update: Apple patched a single watchOS 8 vulnerability on June 21, 2023, with watchOS 8.8.1. This decision is mystifying, as Apple continues to leave watchOS 8 vulnerable to past actively exploited vulnerabilities, and dozens of others vulnerabilities that remain unpatched.
Apple does not have a publicly stated policy about how long any given hardware products will continue to receive security updates.
Similarly, Apple does not have a publicly stated policy about how long any given watchOS version will continue to receive security updates. Apple only notes that, for macOS, “not all known security issues are addressed in previous versions,” although Apple does back-port some security patches to the two previous macOS versions. Meanwhile, Apple released some minimal patches as recently as January 2023 for iOS and iPadOS 15 and even iOS 12, four months after iOS and iPadOS 16 were released. But Apple has not made policy statements about its other operating systems, including watchOS.
Given Apple’s lack of published statements about its security update policies for Apple Watch and watchOS, we can only look back at what Apple has done in the past to try to surmise what Apple might be likely to do in the future.
In 2022, Apple dropped support for only one model with the release of watchOS 9: the Apple Watch Series 3. After watchOS 9’s release, Apple continued selling the Series 3 for six additional months without any security updates.
In 2021, Apple did not drop support for any Apple Watch hardware with the release of watchOS 8.
However, in September 2020, Apple dropped support for the Apple Watch Series 1 and Series 2 with the release of watchOS 7. Apple released two additional security updates for watchOS 6, specifically to address vulnerabilities for the Series 1 and 2: in November, watchOS 6.2.9 addressed two “in the wild” vulnerabilities, and in December, watchOS 6.3 addressed a vulnerability that wasn’t reported to have been actively exploited. Beyond those three months of overlap, Apple did not release any further security updates or Series 1 or 2. Apple appears to have sold the Series 2 refurbished until about November 2018, so it got about two years of security updates after Apple stopped selling it.
In 2019, Apple did not drop support for any Apple Watch hardware with the release of watchOS 6. However, support for Series 1 and 2 was delayed until one month after watchOS 6’s initial September release; Apple released one watchOS 5 security update in the interim period.
In 2018, Apple dropped support for the original Apple Watch (sometimes unofficially called “Series 0”) with the release of watchOS 5. Apple did not release any further security updates for watchOS 4 for the original Apple Watch after watchOS 5’s release. Apple stopped selling the original model concurrent with the release of the Series 1 and Series 2 in September 2016, so the “Series 0” got about two years of security updates after Apple stopped selling it. It appears as though Apple did not sell refurbished units of the original model; the earliest refurbished Apple Watches we could find were Series 1 and 2, starting in December 2016.
Apple finally stopped selling refurbished Series 3 units in its UK store just one week ago, on or around Sunday, March 12.
Days later, around Thursday, March 16, Apple finally removed the “Series 3” category from the refurbished section of its U.S. store. The category had been grayed out and not clickable since sometime between February 23 and March 6. Since then, Apple has not sold any models of refurbished watches in its online U.S. store.
As of Sunday, March 19, the oldest refurbished Watch model that Apple sells online is the SE (1st generation), which debuted in 2020. Refurbished units of this model are currently only available in the UK, Ireland, and China stores. The “SE” category remains visible, but grayed out and not clickable, in the U.S., Australia, New Zealand, and Japan stores. Update: As of April 7, all stores appear to have stopped selling the SE (1st generation); only the SE (2nd generation), which debuted alongside the Series 8, is currently available in all seven of these stores. The Series 7, first sold in 2021, is now the oldest model that Apple is selling in its online stores.
The Australia and New Zealand stores also list “Series 6” as a grayed-out category; neither store is currently selling 2020’s flagship model, however. Update: Sometime between March 19 and March 26, Apple removed the grayed-out Series 6 category from the New Zealand Store. As of April 7, the Australia store also no longer displays a Series 6 category.
Apple does not currently have a section for refurbished Apple Watches in any of its other region-specific online Apple Stores besides the seven mentioned above.
Of course, Apple is not the only seller of Apple Watches. The Apple Watch Series 3 is still being sold at a wide variety of online and local retail stores, including major retailers like Amazon, Walmart, QVC, Groupon, and some Target locations. The defunct Apple Watch model is also prominently featured in eBay’s Daily Deals; eBay has nearly 100 separate listings for certified “eBay Refurbished” Series 3 watches, with each listing containing hundreds of units.
Although it’s unconscionable for Apple to have continued selling a product with known actively exploited vulnerabilities for seven months, Apple still has the opportunity to redeem itself somewhat.
Apple could, at any time, decide to release security updates for watchOS 8, at minimum to patch the two actively exploited vulnerabilities that were patched in watchOS 9. A single security update would literally be the least Apple could do to try to make amends with customers who bought an Apple Watch Series 3 between June 2022 (when Apple quietly revealed that Series 3 would not get watchOS 9—but continued promoting and selling brand new Series 3 units in its online stores for three more months) and March 2023 (when Apple finally stopped selling refurbished units).
We hope that by publishing this report and raising awareness of Apple’s actions, that Apple will seek to make amends with recent purchasers of Apple Watch Series 3. Apple should, at minimum, issue one more watchOS 8 security update to at least address the two aforementioned actively exploited vulnerabilities. Ideally, Apple would continue to release additional watchOS 8 security updates for some period of time after that—again, at minimum to address any future actively exploited vulnerabilities for some period of time.
If Apple chooses not to release any further security updates, it’s unclear whether the company could face lawsuits or other legal challenges from customers who recently bought an Apple Watch Series 3. Even if Apple might be violating any consumer protection laws, at least in spirit, it might be difficult to make a strong case against Apple in court. A plaintiff cannot say with certainty that Apple has actually stopped releasing security updates, and it would be difficult to demonstrate that the lack of updates has caused them actual harm.
One would hope that Apple will do the right thing without being legally compelled to either do so or face consequences. Apple’s choice to continue selling a discontinued product for several months—one with vulnerabilities that are known to have been actively exploited in the wild, no less—is not something that anyone should take lightly. It isn’t clear how exactly Apple ended up in this situation, but it’s clear that Apple needs to resolve it amicably.
As we’ve recommended before, Apple should ideally follow a model similar to Google and Microsoft, pre-announcing exactly how long its products will get security updates, so consumers won’t be left to speculate or get caught off guard.
When it comes to buying consumer electronics—perhaps especially Apple products—from a security perspective it’s best to buy the newest model, rather than an older model that’s on sale. For any Apple product, it’s safest to buy it shortly after a new model is released; this will help maximize the amount of time you’ll be able to get security updates for it (however long that might be).
As soon as you get a new product, check for updates and install them right away. Then check for updates manually on a regular basis; Apple sometimes waits several weeks before notifying customers when a critical security update becomes available.
When it comes to computers and Android phones, antivirus software can help identify malware and maliciously crafted files that may try to exploit known vulnerabilities. As for iPhones and iPads, Apple removed all iOS antivirus apps from the App Store in 2015. However, Intego’s antivirus software for macOS can scan for malware on an attached iPhone, iPad, or iPod touch. Intego also offers antivirus software for Windows. There has never been any antivirus software for watchOS; Apple bans it from the App Store, the same as for iOS and iPadOS.
In previous articles, we’ve discussed Apple’s planned obsolescence in the context of its new-for-2022 operating systems including watchOS, and about Apple’s poor patching policies with regard to macOS and iOS updates.
We discussed the end-of-sale of the refurbished Apple Watch Series 3 on episode 283 of the Intego Mac Podcast.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
