Apple Squashes FaceTime Eavesdropping Bug

By John P. Mello Jr.

Apple on Monday suspended its Group FaceTime application following reports that a bug in the software allowed callers to eavesdrop on the people they were calling. The flaw let a person making a FaceTime call listen through the phone of the person called before the call was accepted or rejected. It also allowed access to the front-facing camera in an iPhone, both 9 to 5 Mac and BuzzFeed reported.

After making a FaceTime call from an iPhone X to an iPhone 8, a user could hear audio from the iPhone 8 before any action was taken on the call, BuzzFeed explained. Then, when the volume down button was pressed, video streaming from the front-facing camera could be seen on the iPhone X, even though the call on the iPhone 8 hadn’t been acted upon.

A user could activate video functionality from a called phone by pressing the power button from the lock screen, 9 to 5 Mac reported. The eavesdropping bug didn’t seem to work on phones in “Do Not Disturb” mode, BuzzFeed noted.

Serious Issue

Although Apple acted quickly once news of the bug went viral, the flaw is a grave one.

“The bug is serious, but thankfully Apple was in a position to mitigate it by forcing the feature to be inoperable on their server-side end,” said Will Strafach, president of theSudo Security Group, an iOS security company in Greenwich, Connecticut.

“I don’t see a long-term impact, since Apple has now disabled the functionality and is quickly pushing an update,” he told TechNewsWorld, “but    I am sure this will be joked about for some time, similar to the ‘goto fail’ bug a few years ago.”What makes the bug so serious is that it allows any user to be spied on without their knowledge, said Mike Murray, chief security officer for Lookout, a San Francisco maker of mobile security products. “All software has bugs and every company makes mistakes. What impacts a company’s reputation in the long term is their ability to respond to these issues,” he told TechNewsWorld. “Apple has already published an initial mitigation and rumors have a patch being released in short order,” Murray continued. “This is what should be expected from a company that takes user privacy and security seriously.”

Sky Not Falling

Not everyone is wringing their hands over the “fly on the wall” bug.

“According to the rest of the world, the sky is falling right now,” observed Tyler Reguly, manager of security R&D at Portland, Oregon-based Tripwire, a cybersecurity threat detection and prevention company.

“This FaceTime bug is the most critical defect we’ve ever encountered if social media is to be believed. I’m not sure I buy into that,” he told TechNewsWorld.

“Is this bug a really stupid mistake and evidence that maybe Apple doesn’t put as much thought into features as they should? Definitely,” Reguly continued.

“As a colleague put it, ‘How do you design a communication protocol such that it allowed communication before the connection is established?” he wondered.

“There is no doubt that Apple has some egg on their face over this one,” Reguly said. “The simple fact is that stupid bugs exist everywhere because code is written by people, and people make mistakes and bad choices. It would be nice if we lived in an infallible society, but we don’t.”

Delayed Reaction?

Twitter is also where questions about Apple’s responsiveness to bug reports have been raised.

“It has been alleged that this bug was reported days ago,” Sudo’s Strafach explained.

“My hope is that this will be a teachable moment on how their bug report triage processes can be improved in order to get reports to the right people more quickly,” he said.

“I believe this bug serves as a reminder that mobile phones may be powerful tools these days, but they are created by humans who can make mistakes sometimes,” Strafach added. “I think a lot of people already understand that, but incidents such as this bug serve as a visceral reminder which can be easily understood.”

Pocket Protection

While access to Group FaceTime has been suspended, Lookout’s Murray still recommends disabling the application until Apple provides a more permanent fix to the problem.

“More important than this single issue is to remember that the phone in our pocket is a powerful computer with access to all of your private life, and it should be protected like it,” he cautioned.

“Many mobile malware families have the ability to listen in through the microphone, just like this Apple bug,” Murray added. “A vulnerability like this reminds us how easily phones can be used to steal personal information. The malware authors and nation-state attackers already know that.”

The FaceTime bug illustrates that even the most diligent companies can falter from time to time, noted George Gerchow, CSO of Redwood City, California-based Sumo Logic, an analytics company focusing on security, operations and business information.

 

Related Posts

Uncategorized

The Evolution of Software Security Best Practices

By Jack M.Germain Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys. Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or […]

Uncategorized

MakuluLinux Core OS Debuts With Impressive Desktop Design

By Jack M. Germain • LinuxInsider • ECT News Network A new Linux OS gets to the core of Linux computing with a revamped desktop environment and a new way to have fun with your daily computing tasks. Developer Jacque Montague Raymer on Monday debuted the MakuluLinux Core OS. He hopes Core becomes the crown jewel of the Series 15 release family.[…]