You are here

Apple FacePalm: This story gets worse

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Apple FaceTime has a huge privacy bug. And it was a customer’s 14-year-old son who found it.

But it gets worse: Apple ignored the customer’s accurate, detailed security bug report for more than a week, then told the customer she can't report a bug unless she’s a developer.

Let’s just say this isn’t Apple’s best week for PR. In this week’s Security Blogwatch, we time how long it takes for your palm to reach your face.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: What happened on the roof of the Apple building 

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Egg on Face Time, Tim

In case you’ve been living under a rock, here’s Benjamin Mayo to get us up to speed—Major iPhone FaceTime bug lets you hear the audio of the person you are calling:

A significant bug has been discovered in FaceTime. [It] lets you call anyone … and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call.

You can essentially listen in on any iOS user. … It is believed to affect any pair of iOS devices running iOS 12.1 or later. [I] have also replicated the problem with an iPhone calling a Mac.

The damage potential here is real.

Yeah, the damage to Apple’s reputation, you mean. But wait, it gets worse, as Nicole Perlroth explains—Apple Was Slow to Act on FaceTime Bug:

On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected discovery: … He could eavesdrop on his friend’s phone.

His mother, Michele Thompson, sent a video of the hack to Apple the next day, warning the company of a “major security flaw.” … When she didn’t hear from Apple Support, she exhausted every other avenue she could.

[A week later] Apple’s product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report. … A bug this easy to exploit is … every spy agency, cybercriminal and stalker’s dream.

The bug, and Apple’s slow response to patching it, have renewed concerns about the company’s commitment to security, even though it regularly … boasts about the safety of its products.

Wait, what? Chiel Stoertec—@ChielStoertec—had a similar reaction:

Ridiculous of Apple to ask a user to create a developer account in order to be able to submit a bug.

it clearly demonstrates how not … user friendly Apple is despite their endless ads to claim otherwise.

But bobtato cooks up a different spud: [You’re fired—Ed.]

That is not the part that seems like a problem to me. … What is troubling is the time they took.

They should have recognised the size of the problem the same day, and escalated it to someone with the authority and wherewithal to disable group calling as soon as they knew that would mitigate the problem. The only thing we actually know is that it took them 8 days, and that certainly sounds like a long time for this particular [workaround].

Ian Bogost thinks vulnerabilities like this are Eroding Trust in Tech:

A giant, wealthy tech company introduced a bad and seemingly careless bug in the core software of the most important kind of computer on Earth. [It] substantiates and mainstreams long-running paranoid fears about the inherent untrustworthiness of computer hardware.

You know those paranoiacs who told you to cover your laptop camera with tape so hackers couldn’t spy on you? They were right.

The origins of the bug may not matter, because paranoia is a jealous sentiment: The moment it even seems possible that some dark force is out to get you, those who would embrace and amplify that worry won’t let it go.

Given Apple’s billions of dollars in the bank and thousands of engineers, the public will lean hard on its promise of trust, which Tim Cook … has used to distinguish his company from competitors such as Google and Facebook.

Referencing the Vegas picture above, Sam McAllister—@SamMcAllister—puts it more simply:

This billboard has aged poorly.

So how could the bug have happened? This Anonymous Coward offers a theory:

Likely the app makes all the video and audio connections first, then rings the person if all the connections were successful. This way as soon as you answer you'll get the feeds instead of having to wait a few seconds for all the data to be sent.

It sounds like a reasonable design choice, if you ignore the security … concerns, which apparently they did.

Apple missed releasing the "group FaceTime" feature when iOS 12 launched and had to delay it. Apparently they didn't delay it enough - I'm assuming they were rushing to fix whatever was holding it back, and they missed that you could force people into group calls.

And this one sounds more disappointed than annoyed:

One week to analyze an easily reproducible bug for a multi-billion dollar company that requires 0 additional knowledge, skill, and software to duplicate? That's extremely sad.

At least most other bugs are those that a malicious person has to explicitly craft. This is a bug anyone can stumble in on.

Perhaps we should go easy on Apple? I mean, it must receive a ton of bogus bug reports. sgentle gently disagrees:

There's no apologising this away. The vulnerability was already a monumental ****-up, but this detail propels it into the realm of cultural dysfunction. It should not be possible to fail this badly.

If you put listening devices in people's pockets, you need to hold yourself to a higher standard than "I dunno, bug reporting is hard".

Aaand here come the lawsuits. Laurel Brubaker Calkins has Apple Gets Sued Over FaceTime Bug :

Apple Inc. was sued by a Houston lawyer who claims his iPhone inadvertently allowed an unknown person to eavesdrop on his private conversation with a client. … Attorney Larry Williams II said the glitch intrudes on the privacy of “one’s most intimate conversations without consent,” according to the complaint he filed in state court.

He said he was eavesdropped on while taking sworn testimony during a client deposition. Williams is seeking unspecified punitive damages on his claims of negligence, product liability, misrepresentation and warranty breach.

The case is Williams v Apple Inc., 2019-06645, 133 Judicial District Court, Harris County, Texas.

Meanwhile, the prosecution might like to read this, from throwawaymath:

I think the intrinsic failure here is that Apple is … fundamentally uninterested in vulnerabilities that don't represent … jailbreak vectors. … Every single process is systematically designed to encourage introspection on those vulnerabilities as a categorical imperative. Other types of vulnerabilities will be treated as second class citizens.

This is very clear … if you follow along with their bug bounty program. [It] is explicit - a userland privacy bug is not sufficient.

Apple does a lot of things right from a security perspective, but this really isn't one of them.

The moral of the story?

Ensure you act on security reports from civilians. How hard can it be?

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally …

Why did the Fab Four play on Apple’s roof?

 No, the other Apple, silly.


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image courtesy @SamMcAllister

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]