Tuesday, January 29, 2019 [Tweets] [Favorites]

Major FaceTime Privacy Bug

MGT7:

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff!

Benjamin Mayo (Hacker News, MacRumors):

The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio.

Dieter Bohn:

The bug requires you have an OS that supports Group FaceTime to work, of course.

What’s more, if one of these “fake” conference calls is happening, if the recipient hits the power or volume button to ignore the call, it not only broadcasts audio to your phone but video as well.

Brian Tong:

This didn’t age well...Three weeks later.👿🍎

Federico Viticci:

This is one of the worst Apple bugs I’ve ever seen.

Please be aware of this and consider disabling FaceTime everywhere (including iPad and Mac) until a fix is out. I disabled mine everywhere.

Perhaps not as bad as the two in High Sierra, but it’s bad.

Wil Shipley:

The FaceTime vulnerability is def. bad but keep in mind you have a record of anyone who tries it on you and when they did so like it’s not a GREAT way to spy on people. (AFAIK you can’t #-spoof FaceTime.)

Marco Arment:

I don’t know how it’s implemented, but possible server-side fixes:

- disabling adding oneself to a group FaceTime
- disabling group FaceTime
- disabling FaceTime

Waiting for a client-side fix is too costly: spying en masse, or people disabling FaceTime and never re-enabling it.

Chance Miller:

Following the exposure of a major FaceTime security hole earlier today, Apple has now taken Group FaceTime completely offline.

Juli Clover:

Hopefully we’re getting more explanation than just a simple fix. How is it even possible for someone to access my camera/mic sans connection/permission? Exactly how long has this been going on?

Josh Centers:

Even after a lot of improvements, Group FaceTime was a hot mess. It works okay with just three people, but the more people you add, the more of a mess it is.

The worst part is the floating face tiles, which make even me, a seasoned FPS player, motion sick. Everyone on the test calls was getting motion sick.

Previously: Group FaceTime Delayed.

Update (2019-01-29): Joe Rossignol:

Once the bug started making headlines on Monday, the Twitter user then shared additional tweets claiming that they had also emailed Apple’s product security team over a week ago. A screenshot of the email was shared, and it appears the team did respond, but what they said is not visible in the screenshot.

The user acknowledges having wanted to receive a monetary reward under Apple’s bug bounty program, but she claims she still proceeded to alert Apple to the bug by phone, fax, and with an official bug report nonetheless. She also wanted to keep the bug private, but she did tweet Fox News about it.

All in all, there is evidence that Apple Support was tagged about an eavesdropping bug eight days before it made headlines, and if the rest of the tweets are truthful, the company was also alerted about the bug via several other avenues.

James Thompson:

I wonder, when they switch on the servers again, if they can block group calls based on OS version number? Otherwise people who don’t update will still be unprotected…

Put it this way, if it’s not part of the protocol already, maybe do that in the future :)

Rich Mogull:

The FaceTime vulnerability was bad. It was quickly blocked. You don’t need to turn FaceTime off. We should all wait to see what Apple says next about how they handled the initial bug report before rushing to judgement

Then judge away, but at least wait a few days for info.

Jeff Rogers:

I would still turn it off so you can wait for feedback and evaluate when it’s ready to be turned back on, rather than letting Apple decide when to turn yours back on.

Josh Centers:

I questioned this in editing and apparently some people have replicated the exploit even after Apple disabled Group FaceTime.

Update (2019-01-31): Bruce Schneier:

This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it’s fixed. But it’s hard to imagine how an adversary can operationalize this in any useful way.

Lloyd Chambers:

You can’t keep making all this stuff up—no one would believe you.

Thomas Reed:

The bug relied entirely on a feature of iOS 12.1 and macOS 10.14.1 called Group FaceTime. If you are using an older version of iOS or macOS, you have nothing to fear.

[…]

There will be some who cite this as a reason to delay installing system updates. They will say that you should wait and let others work out the bugs. However, this is questionable advice. If you stay on an old version of iOS or macOS, you are using a system that has known security issues. That’s a far riskier proposition than updating to a newer version of the system where there aren’t (yet) any known security issues. From a security perspective, you should always install updates in a timely fashion.

In a way, it’s a shame that Apple is now adding big features in point updates throughout the year. This means that it’s not always possible to update in order to get one bug fix without also getting a new feature that potentially adds additional bugs.

John H. Meyer:

Here is a video, recorded & sent to Apple by a 14 yr old & his mom, on JAN 23rd, alerting them to the dangerous #FaceTime bug, that has threatened the privacy of millions.

Ryan Jones:

She demo’ed the entire bug for Apple on Jan 23rd → aka she wasn’t demanding money first.

John H. Meyer:

A quote from the mother of the 14 yr old who discovered the FaceTime bug on 1/19/19…

John H. Meyer:

Here is the mom’s official bug report to Apple. Note that the mom self-describes as “not at all techy” and was baffled that Apple Support asked her, an average citizen, to sign up for an Apple developer account to then submit an official bug report, in order to be taken seriously

josh avant:

Apparently the person who discovered the FaceTime bug was literally told by Apple to ‘File A Radar’ (they’re not devs). Everyone jokes about ‘File A Radar’ but, honestly, Apple’s approach to this is annoyingly tone deaf and needs to be improved already.

Dan Masters:

This perfectly sums Apple up.

And even after she did file it, it was marked as duplicate.

See also: Chris Welch (Hacker New).

Meek Geek:

Reproduced the FaceTime privacy hole with a friend.

Went home hours later to find my iPad burning hot. The bug turned on the iPad screen, even though a Smart Cover was over it, perpetually showing the incoming FaceTime call overlay with video from the front camera.

Michael Love:

Actually, now that we know that Facebook pulled this in response to Apple revoking their certificate last night, the timing on Apple’s part does seem at least a little bit suspicious. (awfully “convenient”, at any rate)

it’s amazing that for once, Apple had an enormous embarrassing privacy bug and FB could take some cover from press

less than 24 hours later….back to the latest Facebook thing

If Apple a) knew about this bug for a few weeks, b) has been scrambling to fix it, c) didn’t want to disable Group FaceTime in the meantime because that would reveal it, but d) feared getting caught anyway, it would be logical to have a distraction like this FB story ready to go.

It would also explain their failure to respond to the woman filing all of those desperate bug reports - they knew about the bug already, but if they’d written back to her it would have instantly blown up into a major story, and they thought they might get a fix in under the wire.

Is there another explanation for the bug being a duplicate besides Apple already knowing about the issue? Why didn’t Apple disable Group FaceTime as soon as they learned of the issue, rather than after it hit the press? Wouldn’t it be much worse for someone to exploit it than for people to wonder why (only Group) FaceTime was down for a while? Waiting to disable Group FaceTime makes it look as though Apple was hoping to silently fix the bug without anyone knowing about it. But I don’t really understand that because I thought they are supposed to disclose all security bugs, anyway.

See also: Facebook Pays Teens to Install VPN That Spies on Them.

Update (2019-02-01): Joe Rossignol:

Apple issued the following statement to MacRumors today in which it apologized for a major FaceTime eavesdropping bug:

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

This is a bit strange. It implies that the bug was only on the servers, but that is hard to believe given what we know about it and that a client software update will be needed. Earlier this week, Apple said that the bug would be fixed this week, but now the update is not coming until next week. Is Apple claiming it’s a server bug in order to not miss its self-imposed deadline?

The second paragraph at first sounds like Apple acted quickly, but it’s actually a roundabout way of saying that it took a long time for the bug to get routed to the proper team.

John Gruber:

Good on Apple for thanking the Thompson family, and for acknowledging that something is wrong with their process for escalating critical bugs reported by regular customers.

Joe Rossignol:

For absolute clarity, we’ve since confirmed that this means Group FaceTime will remain permanently disabled on iOS 12.1 through iOS 12.1.3. To access Group FaceTime, users will need to update their iPhone, iPad, or iPod touch to a software update coming next week that is likely to be iOS 12.1.4.

Peter Cao:

While we originally reported on the bug, a 14-year-old actually discovered it nearly a week beforehand. High school freshman, Grant Thompson, said in an interview with MarketWatch, that he was surprised that “this glitch happened in the first place” and shared “I found it by accident.”

Update (2019-02-04): Benjamin Mayo:

CNBC reports that an unnamed “high-level Apple executive” met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

[…]

Apple’s bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS. Monetary rewards are not given out to any random individual who happens to find a bug in Apple software.

Update (2019-02-07): Juli Clover:

The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations.

Juli Clover:

Apple is today releasing an updated version of iOS 12.1.4, which is designed to address a major FaceTime bug that was widely publicized last Monday.

Juli Clover:

Apple today released a new version of macOS 10.14.3, which is designed to address a major Group FaceTime bug affecting both iOS and macOS.

See also Natalie Silvanovich:

Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three bugs in FaceTime based on this work. All these issues have been fixed in recent updates.

Update (2019-02-11): Nick Heer:

The way this bug presented itself caused me to think that video and microphone data was being transmitted from the device before the recipient answered the call. Apple’s phrasing in the “Impact” section here means that I misinterpreted how this bug behaved.

Reuters (Hacker News):

The technology giant said it would compensate the Thompson family and make an additional gift toward 14-year-old Grant’s education.

Joe Rossignol:

The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.

Update (2019-02-13): See also: Accidental Tech Podcast.

Update (2019-02-18): MacRumors:

Unfortunately, Group FaceTime even under iOS 12.1.4 hasn’t quite been restored to its former functionality. A MacRumors forum thread started the day after 12.1.4's release revealed users who found themselves unable to add more users to a FaceTime call. As it turns out, it appears that users are no longer able to add a person to a one-on-one FaceTime call. The “Add Person” button remains greyed out and inactive in this situation. The only way to add another person to a Group FaceTime call at this time is to start the call with at least two other people. This slight distinction appears to be the source of confusion for many users.

MacRumors forum user Bob-K persisted in his support calls with Apple, and was finally told that the “Add Person” button not working in that situation was a known issue and that they didn’t know when it would be fixed.

5 Comments

So... another year, another tentpole feature delayed, only to have it implemented with significant issues. What’s the premium price for again?

(Incidentally — as I was typing this — I discovered that if a calendar notification happens at the same time as a Clock alarm, the calendar notification prevents the alarm from sounding? I need to be able to trust the basics...)

Who's going to be asked to write an apology letter this time?

"that something is wrong with their process for escalating critical bugs reported by regular customers."

Something? By regular customers?

Everything is wrong about the bug reporting procedures at Apple.

[…] Previously: Major FaceTime Privacy Bug. […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment