Security & Privacy

Apple stops selling Watch Series 3 — eight months after its last security update

Posted on by

One week ago, Apple finally stopped selling the Apple Watch Series 3 in its online stores. Recent buyers, however, are not getting any security updates.

The product’s continued availability was puzzling given that Apple revealed in early June that the Apple Watch Series 3 would not support watchOS 9. Following that revelation nine months ago, Apple continued promoting and selling new Series 3 units for three months. Then on September 7, Apple quietly discontinued selling new Series 3 units while adding the Series 8 to its online stores. But then, for six additional months, Apple continued to sell refurbished Series 3 units.

Apple has released precisely zero security updates for the Series 3 since July 2022—the last watchOS 8 security update before watchOS 9’s release in September. On the surface, that might not seem too concerning. But taking a closer look, what Apple has done is a dangerous step backward for consumer safety.

Apple knowingly sold a product that is no longer getting security updates for eight straight months after its last security update. Moreover, Apple has knowingly left it vulnerable to at least two “actively exploited” (zero-day, in the wild) vulnerabilities for the past seven months while continuing it sell it to customers.

Let that sink in for a moment.

Lest there be any confusion, let’s break this down to make it clear what Apple has done, and what Apple can do to (at least partially) redeem itself.

In this article:

Timeline of events

  • December 14, 2020 — The last time Apple released security updates for multiple watchOS versions simultaneously, to support older models (watchOS 7.2 for Series 3 & later; 6.3 for Series 1 & 2)
  • June 6, 2022 — At WWDC, Apple quietly reveals that Series 3 won’t get watchOS 9; Apple continues promoting & selling new Series 3 units in its online stores
  • June 14, 2022 — Intego warns that it’s unclear whether Series 3 (still being promoted & sold new) will get security updates
  • June 27, 2022 — AppleInsider warns not to buy Series 3 due to lack of watchOS 9 support (without mentioning security implications)
  • July 20, 2022 — Apple releases watchOS 8.7, which would turn out to be the final security update for Series 3
  • August 17, 2022 — Apple releases watchOS 8.7.1, the final (non-security) update for Series 3; neglects to patch two “actively exploited” vulnerabilities that were patched for macOS/iOS/iPadOS that day and were later patched in watchOS 9.0
  • September 7, 2022 — Apple adds Series 8 & removes Series 3 from main section of online store (while refurbished Series 3 remains available)
  • September 12, 2022 — Apple releases watchOS 9.0 (without disclosing security vulnerabilities); Intego notes that Apple did not release a corresponding watchOS 8 update & hasn’t announced whether Series 3 will continue to get security updates
  • October 24, 2022 — Apple releases watchOS 9.1, fixing vulnerabilities; Intego asks Apple why no security details for watchOS 9.0 were released & whether watchOS 8 will get security updates
  • October 27, 2022 — Apple finally discloses that watchOS 9.0 had fixed two “actively exploited” vulnerabilities (still no watchOS 8 update for Series 3)
  • December 13, 2022 — Apple releases watchOS 9.2, fixing vulnerabilities (still no watchOS 8 update)
  • December 14, 2022 — Intego asks Apple again whether watchOS 8 will get security updates, noting that Apple still sells Series 3 refurbished; Intego publicly warns that Series 3 has lacked security updates for 3 months
  • December 21, 2022 — MacRumors warns not to buy refurbished Series 3 (without mentioning security implications)
  • January 23, 2023 — Apple releases watchOS 9.3, fixing vulnerabilities (still no watchOS 8 update)
  • January 24, 2023 — Intego warns that refurbished Series 3 (still sold in online Apple Store) hasn’t gotten security updates for 5 months
  • January 27, 2023 — Intego asks Apple again about watchOS 8 security updates for Series 3, noting that 10+ year old iPhone & iPad models had just gotten a security update (iOS 12.5.7)
  • February 13, 2023 — Apple releases watchOS 9.3.1, fixing vulnerabilities (still no watchOS 8 update)
  • February 15, 2023 — Intego warns not to buy refurbished Series 3 (still sold in Apple’s U.S. online retail store) due to serious security implications
  • February 16, 2023 — Intego asks Apple again whether watchOS 8 will get security updates
  • circa late February 2023 — Sometime between Feb 23 & Mar 6, all refurbished watches (including Series 3) apparently go out of stock in Apple’s U.S. online retail store; all refurbs still unavailable as of Mar 19
  • circa March 12, 2023 — Apple finally stops selling refurbished Series 3 in its UK online retail store (the last holdout)
  • circa March 16, 2023 — Apple removes Series 3 category from refurbished section of its U.S. online retail store
  • March 18, 2023 — BusinessInsider warns not to buy Series 3; Intego asks Apple again whether watchOS 8 will get security updates
  • March 19, 2023 — Intego publishes this report
  • June 21, 2023 — Apple patches only a single vulnerability in watchOS 8.8.1; other vulnerabilities remain unpatched

Has Apple really ceased issuing security updates for the Series 3?

By all appearances, Apple has completely stopped releasing security updates for the Series 3. However, Apple could change this at any time.

Apple Watch Series 3 is the only model that cannot be upgraded from watchOS 8 to watchOS 9. Apple quietly revealed on June 6, 2022, during its Worldwide Developers Conference (WWDC) event, that the Series 3 would not be compatible with its upcoming watchOS 9. Apple nevertheless continued to promote and sell new Series 3 units for another three months, and then proceeded to sell refurbished units for an additional six months.

Not a single security update has been released for watchOS 8 or the Series 3 since July 2022 — not even to address two “actively exploited” vulnerabilities that Apple patched for macOS, iOS, and iPadOS in August, and later patched for watchOS 9.0 in September. Apple continued to sell the known-vulnerable Series 3 for seven months in the refurbished section of its online retail stores after the August patch cycle when the company neglected to patch the two actively exploited security vulnerabilities for it.

Specifically, the two actively exploited bugs are specifically CVE-2022-32893 (a WebKit vulnerability) and CVE-2022-32894 (a kernel vulnerability). Both were patched for macOS Monterey 12.5.1 and for iOS 15.6.1 and iPadOS 15.6.1, on August 17, 2022—the same day Apple released watchOS 8.7.1 which addressed zero “published CVE entries,” according to Apple. While Apple could have chosen to patch these urgently for watchOS 8.7.1 as well, Apple instead withheld these updates and only patched them later for watchOS 9. Thus, Apple knowingly left all Apple Watch users vulnerable for nearly a month until watchOS 9.0 was released, and Apple has left Apple Watch Series 3 users perpetually vulnerable to these two major, actively exploited vulnerabilities.

We have reached out to Apple numerous times over the course of several months, asking whether watchOS 8 will ever get security updates. Apple has continually ignored our requests for comment on this issue.

Update: Apple patched a single watchOS 8 vulnerability on June 21, 2023, with watchOS 8.8.1. This decision is mystifying, as Apple continues to leave watchOS 8 vulnerable to past actively exploited vulnerabilities, and dozens of others vulnerabilities that remain unpatched.

Does Apple issue security updates for multiple watchOS versions? How long does Apple release security updates for Watch models?

Apple does not have a publicly stated policy about how long any given hardware products will continue to receive security updates.

Similarly, Apple does not have a publicly stated policy about how long any given watchOS version will continue to receive security updates. Apple only notes that, for macOS, “not all known security issues are addressed in previous versions,” although Apple does back-port some security patches to the two previous macOS versions. Meanwhile, Apple released some minimal patches as recently as January 2023 for iOS and iPadOS 15 and even iOS 12, four months after iOS and iPadOS 16 were released. But Apple has not made policy statements about its other operating systems, including watchOS.

Given Apple’s lack of published statements about its security update policies for Apple Watch and watchOS, we can only look back at what Apple has done in the past to try to surmise what Apple might be likely to do in the future.

In 2022, Apple dropped support for only one model with the release of watchOS 9: the Apple Watch Series 3. After watchOS 9’s release, Apple continued selling the Series 3 for six additional months without any security updates.

In 2021, Apple did not drop support for any Apple Watch hardware with the release of watchOS 8.

However, in September 2020, Apple dropped support for the Apple Watch Series 1 and Series 2 with the release of watchOS 7. Apple released two additional security updates for watchOS 6, specifically to address vulnerabilities for the Series 1 and 2: in November, watchOS 6.2.9 addressed two “in the wild” vulnerabilities, and in December, watchOS 6.3 addressed a vulnerability that wasn’t reported to have been actively exploited. Beyond those three months of overlap, Apple did not release any further security updates or Series 1 or 2. Apple appears to have sold the Series 2 refurbished until about November 2018, so it got about two years of security updates after Apple stopped selling it.

In 2019, Apple did not drop support for any Apple Watch hardware with the release of watchOS 6. However, support for Series 1 and 2 was delayed until one month after watchOS 6’s initial September release; Apple released one watchOS 5 security update in the interim period.

In 2018, Apple dropped support for the original Apple Watch (sometimes unofficially called “Series 0”) with the release of watchOS 5. Apple did not release any further security updates for watchOS 4 for the original Apple Watch after watchOS 5’s release. Apple stopped selling the original model concurrent with the release of the Series 1 and Series 2 in September 2016, so the “Series 0” got about two years of security updates after Apple stopped selling it. It appears as though Apple did not sell refurbished units of the original model; the earliest refurbished Apple Watches we could find were Series 1 and 2, starting in December 2016.

The oldest Apple Watch models currently for sale

Apple finally stopped selling refurbished Series 3 units in its UK store just one week ago, on or around Sunday, March 12.

Days later, around Thursday, March 16, Apple finally removed the “Series 3” category from the refurbished section of its U.S. store. The category had been grayed out and not clickable since sometime between February 23 and March 6. Since then, Apple has not sold any models of refurbished watches in its online U.S. store.

As of Sunday, March 19, the oldest refurbished Watch model that Apple sells online is the SE (1st generation), which debuted in 2020. Refurbished units of this model are currently only available in the UK, Ireland, and China stores. The “SE” category remains visible, but grayed out and not clickable, in the U.S., Australia, New Zealand, and Japan stores. Update: As of April 7, all stores appear to have stopped selling the SE (1st generation); only the SE (2nd generation), which debuted alongside the Series 8, is currently available in all seven of these stores. The Series 7, first sold in 2021, is now the oldest model that Apple is selling in its online stores.

The Australia and New Zealand stores also list “Series 6” as a grayed-out category; neither store is currently selling 2020’s flagship model, however. Update: Sometime between March 19 and March 26, Apple removed the grayed-out Series 6 category from the New Zealand Store. As of April 7, the Australia store also no longer displays a Series 6 category.

Apple does not currently have a section for refurbished Apple Watches in any of its other region-specific online Apple Stores besides the seven mentioned above.

Of course, Apple is not the only seller of Apple Watches. The Apple Watch Series 3 is still being sold at a wide variety of online and local retail stores, including major retailers like Amazon, Walmart, QVC, Groupon, and some Target locations. The defunct Apple Watch model is also prominently featured in eBay’s Daily Deals; eBay has nearly 100 separate listings for certified “eBay Refurbished” Series 3 watches, with each listing containing hundreds of units.

Apple still has the opportunity to (somewhat) redeem itself

Although it’s unconscionable for Apple to have continued selling a product with known actively exploited vulnerabilities for seven months, Apple still has the opportunity to redeem itself somewhat.

Apple could, at any time, decide to release security updates for watchOS 8, at minimum to patch the two actively exploited vulnerabilities that were patched in watchOS 9. A single security update would literally be the least Apple could do to try to make amends with customers who bought an Apple Watch Series 3 between June 2022 (when Apple quietly revealed that Series 3 would not get watchOS 9—but continued promoting and selling brand new Series 3 units in its online stores for three more months) and March 2023 (when Apple finally stopped selling refurbished units).

We hope that by publishing this report and raising awareness of Apple’s actions, that Apple will seek to make amends with recent purchasers of Apple Watch Series 3. Apple should, at minimum, issue one more watchOS 8 security update to at least address the two aforementioned actively exploited vulnerabilities. Ideally, Apple would continue to release additional watchOS 8 security updates for some period of time after that—again, at minimum to address any future actively exploited vulnerabilities for some period of time.

Could Apple face legal challenges because of this?

If Apple chooses not to release any further security updates, it’s unclear whether the company could face lawsuits or other legal challenges from customers who recently bought an Apple Watch Series 3. Even if Apple might be violating any consumer protection laws, at least in spirit, it might be difficult to make a strong case against Apple in court. A plaintiff cannot say with certainty that Apple has actually stopped releasing security updates, and it would be difficult to demonstrate that the lack of updates has caused them actual harm.

One would hope that Apple will do the right thing without being legally compelled to either do so or face consequences. Apple’s choice to continue selling a discontinued product for several months—one with vulnerabilities that are known to have been actively exploited in the wild, no less—is not something that anyone should take lightly. It isn’t clear how exactly Apple ended up in this situation, but it’s clear that Apple needs to resolve it amicably.

As we’ve recommended before, Apple should ideally follow a model similar to Google and Microsoft, pre-announcing exactly how long its products will get security updates, so consumers won’t be left to speculate or get caught off guard.

What can consumers do to stay protected from vulnerabilities?

When it comes to buying consumer electronics—perhaps especially Apple products—from a security perspective it’s best to buy the newest model, rather than an older model that’s on sale. For any Apple product, it’s safest to buy it shortly after a new model is released; this will help maximize the amount of time you’ll be able to get security updates for it (however long that might be).

As soon as you get a new product, check for updates and install them right away. Then check for updates manually on a regular basis; Apple sometimes waits several weeks before notifying customers when a critical security update becomes available.

When it comes to computers and Android phones, antivirus software can help identify malware and maliciously crafted files that may try to exploit known vulnerabilities. As for iPhones and iPads, Apple removed all iOS antivirus apps from the App Store in 2015. However, Intego’s antivirus software for macOS can scan for malware on an attached iPhone, iPad, or iPod touch. Intego also offers antivirus software for Windows. There has never been any antivirus software for watchOS; Apple bans it from the App Store, the same as for iOS and iPadOS.

How can I learn more?

In previous articles, we’ve discussed Apple’s planned obsolescence in the context of its new-for-2022 operating systems including watchOS, and about Apple’s poor patching policies with regard to macOS and iOS updates.

We discussed the end-of-sale of the refurbished Apple Watch Series 3 on episode 283 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →