By John P. Mello Jr.
Apple on Monday suspended its Group FaceTime application following reports that a bug in the software allowed callers to eavesdrop on the people they were calling. The flaw let a person making a FaceTime call listen through the phone of the person called before the call was accepted or rejected. It also allowed access to the front-facing camera in an iPhone, both 9 to 5 Mac and BuzzFeed reported.
After making a FaceTime call from an iPhone X to an iPhone 8, a user could hear audio from the iPhone 8 before any action was taken on the call, BuzzFeed explained. Then, when the volume down button was pressed, video streaming from the front-facing camera could be seen on the iPhone X, even though the call on the iPhone 8 hadn’t been acted upon.
A user could activate video functionality from a called phone by pressing the power button from the lock screen, 9 to 5 Mac reported. The eavesdropping bug didn’t seem to work on phones in “Do Not Disturb” mode, BuzzFeed noted.
Although Apple acted quickly once news of the bug went viral, the flaw is a grave one.
“The bug is serious, but thankfully Apple was in a position to mitigate it by forcing the feature to be inoperable on their server-side end,” said Will Strafach, president of theSudo Security Group, an iOS security company in Greenwich, Connecticut.
“I don’t see a long-term impact, since Apple has now disabled the functionality and is quickly pushing an update,” he told TechNewsWorld, “but I am sure this will be joked about for some time, similar to the ‘goto fail’ bug a few years ago.”What makes the bug so serious is that it allows any user to be spied on without their knowledge, said Mike Murray, chief security officer for Lookout, a San Francisco maker of mobile security products. “All software has bugs and every company makes mistakes. What impacts a company’s reputation in the long term is their ability to respond to these issues,” he told TechNewsWorld. “Apple has already published an initial mitigation and rumors have a patch being released in short order,” Murray continued. “This is what should be expected from a company that takes user privacy and security seriously.”
Sky Not Falling
Not everyone is wringing their hands over the “fly on the wall” bug.
“According to the rest of the world, the sky is falling right now,” observed Tyler Reguly, manager of security R&D at Portland, Oregon-based Tripwire, a cybersecurity threat detection and prevention company.
“This FaceTime bug is the most critical defect we’ve ever encountered if social media is to be believed. I’m not sure I buy into that,” he told TechNewsWorld.
“Is this bug a really stupid mistake and evidence that maybe Apple doesn’t put as much thought into features as they should? Definitely,” Reguly continued.
“As a colleague put it, ‘How do you design a communication protocol such that it allowed communication before the connection is established?” he wondered.
“There is no doubt that Apple has some egg on their face over this one,” Reguly said. “The simple fact is that stupid bugs exist everywhere because code is written by people, and people make mistakes and bad choices. It would be nice if we lived in an infallible society, but we don’t.”
Twitter is also where questions about Apple’s responsiveness to bug reports have been raised.
“It has been alleged that this bug was reported days ago,” Sudo’s Strafach explained.
“My hope is that this will be a teachable moment on how their bug report triage processes can be improved in order to get reports to the right people more quickly,” he said.
“I believe this bug serves as a reminder that mobile phones may be powerful tools these days, but they are created by humans who can make mistakes sometimes,” Strafach added. “I think a lot of people already understand that, but incidents such as this bug serve as a visceral reminder which can be easily understood.”
While access to Group FaceTime has been suspended, Lookout’s Murray still recommends disabling the application until Apple provides a more permanent fix to the problem.
“More important than this single issue is to remember that the phone in our pocket is a powerful computer with access to all of your private life, and it should be protected like it,” he cautioned.
“Many mobile malware families have the ability to listen in through the microphone, just like this Apple bug,” Murray added. “A vulnerability like this reminds us how easily phones can be used to steal personal information. The malware authors and nation-state attackers already know that.”
The FaceTime bug illustrates that even the most diligent companies can falter from time to time, noted George Gerchow, CSO of Redwood City, California-based Sumo Logic, an analytics company focusing on security, operations and business information.