Yesterday news broke that a bug in FaceTime that allows callers to listen to the audio of the person they are calling before that person picks up. Today we learned that it was a high school student in Tucson, Arizona that discovered the bug. Grant Thompson discovered the bug while chatting with friends about the popular game Fortnite. He was simply calling friends when he discovered a bug that allowed him to force other iPhones to answer a FaceTime call, even if the other person doesn’t take any action.
At this time, Apple has shut down the back-end services that provide the vulnerable functions and has issued a statement saying that they expect to have fixed the issue by the end of this week. That said, as a precaution, we strongly recommend disabling FaceTime on iOS (iPad, iPhone, Apple Watch, etc) devices, as well as OSX (Apple laptops like the MacBook Air) until Apple confirms that the issue has been fully fixed.
Two things stand out about this bug to me: The widespread and deeply personal nature of it, and the way it highlights that it really does Take a Crowd to catch issues that make it into production, even with security teams as sophisticated as Apple’s.
On the personal side, I experienced this myself – Thankfully, the FaceTime flaw was never to be exploited by Real Bad Guys™ because of the lack of anonymity inherent in the attack, but I can see under-18 FaceTime users exploiting the vulnerability for fun, and bad things and potentially criminal things happening as a result. This could range from trolling, to bullying, to the kinds of things that could ultimately constitute a criminal act. As a father, my mind jumped straight into that threat mode. The managing the risks of younger generations growing up with the internet, cell phones, and social media is a universally vexing topic for parents– and vulnerabilities like this one add an extra layer of concern and complexity to the mix.
Extending on this, FaceTime calls are easily scripted and many kiosks and other static applications of iOS devices (think airports, for example) have FaceTime-enabled and active by default. The idea of sitting an and having the food-ordering kiosk (which is an iPad) watching as I eat is both a realizable risk and kind of creepy.
On the crowd side, this is an important reminder that no matter how seriously a company takes security, the software is inherently insecure. As long as humans write code there will be errors, and some of those errors will result in vulnerabilities like this one. A proactive approach to security testing and education continues to be imperative, and this reinforces why the backstop of the security researcher community (which INCLUDES 14-years olds like Grant Thompson stumbling across flaws by accident while playing Fortnite) is crucial as a backstop for when issues like this slip past the catcher.
My main concern now is that the fix for the issue is client-side, and clients won’t be updated and will remain vulnerable. The fact that Apple took the backend offline suggests they are working on a server-side fix that would resolve the issue for everyone, which would be a very good thing. Apple was clear that the root cause was complicated and would take time to fix, and in the meantime, they shut down the FaceTime group service — the culprit in the vulnerability itself — fairly quickly.
Apple’s approach to security is amazing, and my other dominant reaction to the news of the bug was sympathy for the excellent folks on the security team there — I imagine they haven’t had a lot of rest since the news hit.
To sum things up back where we started – A true fix for the issue hasn’t been confirmed yet and, while the risk is mitigated by the backend servers being taken offline, Bugcrowd recommends leaving Facetime off on your devices until a fix is confirmed.
You can protect yourself against by going to “Settings”, then “FaceTime”, then set the FaceTime slider to off on ALL Apple products. Don’t forget to protect your family and friends by having them do the same.
Stay safe out there!
