A Bug in FaceTime Allows One To Access Someone's iPhone Camera And Microphone Before They Answered the Call; Apple Temporarily Disables Group FaceTime Feature (thenextweb.com)

← Back to Stories (view on slashdot.org)

A Bug in FaceTime Allows One To Access Someone's iPhone Camera And Microphone Before They Answered the Call; Apple Temporarily Disables Group FaceTime Feature (thenextweb.com)

Posted by msmash on Monday January 28, 2019 @05:29PM from the happy-data-privacy-day-to-you,-too dept.

Social media sites lit up today with anxious Apple users after a strange glitch in iPhone's FaceTime app became apparent. The issue: It turns out that an iPhone user can call another iPhone user and listen in on -- and access live video feed of -- that person's conversations through the device's microphone and camera -- even if the recipient does not answer the call. In a statement, Apple said it was aware of the bug and was working to release a fix later this week. In the meanwhile, the company has disabled Group calling functionality on FaceTime app. From a report: The issue was so serious that Twitter CEO Jack Dorsey, and even Andrew Cuomo, governor of the state of New York, weighed in and urged their followers to disable FaceTime. [...] That's bad news for a company that's been vocal about privacy and customer data protection lately. The timing couldn't be worse, given that Apple is set to host its earnings call for the October-December quarter of 2018 in just a matter of hours.

44 of 88 comments (clear)

Min score:

Reason:

Sort:

How did this happen? by bobbutts · 2019-01-28 17:46 · Score: 1

How does a "bug" like this make it to a supposedly stable app?
1. Re:How did this happen? by Anonymous Coward · 2019-01-28 17:51 · Score: 1
  
  Now you understand why phones built like this will never be secure.
2. Re:How did this happen? by ellbee · 2019-01-28 17:52 · Score: 5, Funny
  
  The public release wasn't supposed to be compiled with CIA_FBI_NSA=TRUE
  
  --
  You can't fight in here - this is the war room!
3. Re:How did this happen? by Anonymous Coward · 2019-01-28 19:05 · Score: 1
  
  How does a "bug" like this make it to a supposedly stable app?
  because it is apparently time for Apple to punch the faces of their customers even more? ApplePunch FaceTime!
4. Re:How did this happen? by Anonymous Coward · 2019-01-28 19:29 · Score: 5, Interesting
  
  Likely the app makes all the video and audio connections first, then rings the person if all the connections were successful. This way as soon as you answer you'll get the feeds instead of having to wait a few seconds for all the data to be sent. It sounds like a reasonable design choice, if you ignore the security and data billing concerns, which apparently they did. What a great way to waste someone's data. Constantly call them on FaceTime when you know they won't answer. I bet Apple has made more of these "UX above all else" decisions.
  I'm now glad I keep my cameras covered. I don't know why phone cases don't include a manual shutter, even if it's just a silicone flap.
5. Re: How did this happen? by cyber-vandal · 2019-01-28 19:49 · Score: 3, Insightful
  
  What is your bug-free development methodology?
6. Re:How did this happen? by michelcolman · 2019-01-28 20:15 · Score: 1
  
  How exactly does the bug work? The article just says that someone can listen in on another FaceTime user even if that user does not pick up, and it has something to do with group calling. Is there some specific sequence of actions that triggers this? Can it happen accidentally, or do you intentionally have to do some kind of trick?
7. Re:How did this happen? by Anonymous Coward · 2019-01-28 20:23 · Score: 4, Informative
  
  As I understand it, it works like this: You call someone you want to snoop on. Then, when they don't answer, you make it a group call by saying "add member" and then add yourself. (Why are you allowed to do this? I don't know.) At this point it switches to "group" mode and now the other person is suddenly in the group call, transmitting video and audio, without ever having picked up. Presumably it would also work if you added someone else to make it a group call, but the demo I saw just added themselves.
  As for how it happened, Apple missed releasing the "group FaceTime" feature when iOS 12 launched and had to delay it. Apparently they didn't delay it enough - I'm assuming they were rushing to fix whatever was holding it back, and they missed that you could force people into group calls. (I'm also unclear on if you can spy on even more people by adding them all to your new group call.)
8. Re:How did this happen? by k2r · 2019-01-28 21:31 · Score: 1
  
  Why do you write this as an anonymous coward?
  This is the first coherent, non tinfoil hat comment I read on it.
9. Re: How did this happen? by Anonymous Coward · 2019-01-28 22:38 · Score: 1
  
  Nothing is perfect, but having a QA process involving more than zero people over longer than zero hours is a great place to start.
10. Re: How did this happen? by c6gunner · 2019-01-28 22:53 · Score: 4, Informative
  
  It sucks but it could be worse - you could have an Android phone that will never get any security fixes.
  Err. This is an application. You understand that applications and the OS are two different things, right?
11. Re: How did this happen? by K.+S.+Kyosuke · 2019-01-28 23:11 · Score: 1
  
  You mean "crawltime"?
  
  --
  Ezekiel 23:20
12. Re:How did this happen? by nightcats · 2019-01-28 23:11 · Score: 1
  
  Preoccupation with The Face: what if these apps were called something different, like Brainbook and Heart-time? What if they were designed to explore what is deeper than appearance, mere image? Would they have a different ethos, a different cultural focus, a different user base and therefore a more sensitive development model? But okay, words mean little anymore, I suppose it's a silly question in this culture.
  
  --
  Development is programmable; Discovery is not programmable. (Fuller)
13. Re:How did this happen? by retchdog · 2019-01-28 23:45 · Score: 1
  
  "I don't know why phone cases don't include a manual shutter, even if it's just a silicone flap."
  Because people would forget about it and then get annoyed with the case. Like you said, it's a UX decision.
  
  --
  "They were pure niggers." – Noam Chomsky
14. Re:How did this happen? by mentil · 2019-01-28 23:49 · Score: 2
  
  Because both revolve around photos from digital cameras. They could've called it 'T&A Time/Book' but that'd be too on-the-nose.
  
  --
  Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
15. Re:How did this happen? by complete+loony · 2019-01-29 00:11 · Score: 2
  
  I made a mistake a bit like this once. So to reduce latency I started recording audio before answering, and only start sending data when the user answers. I figured the best way to make sure all the code you need is loaded into ram, is to try and use it. But of course on this cheap device there's a 2KB hardware buffer you can't seem to avoid. So the person on the other end hears about 120ms of audio from before you hit the button.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
16. Re:How did this happen? by AHuxley · 2019-01-29 00:29 · Score: 1
  
  A bit of NSA, some PRISM.
  Some voice prints?
  Its a feature for some.
  
  --
  Domestic spying is now "Benign Information Gathering"
17. Re:How did this happen? by 110010001000 · 2019-01-29 00:39 · Score: 2
  
  They are Agile.
18. Re: How did this happen? by pgmrdlm · 2019-01-29 01:53 · Score: 1
  
  lie much? I have always received security patches.
  
  --
  Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
19. Re:How did this happen? by WankerWeasel · 2019-01-29 05:56 · Score: 1
  
  The data usage in doing such is minimal. If you're worried about the couple KB of data that could potentially be wasted in the initiation of a video call, you shouldn't be using video calling in the first place.
20. Re:How did this happen? by thomst · 2019-01-29 06:05 · Score: 1
  
  nightcats speculated:
  
  Preoccupation with The Face: what if these apps were called something different, like Brainbook and Heart-time? What if they were designed to explore what is deeper than appearance, mere image? Would they have a different ethos, a different cultural focus, a different user base and therefore a more sensitive development model? But okay, words mean little anymore, I suppose it's a silly question in this culture.
  First of all, words do have meaning - in fact, many of them have multiple meanings. (When there's more than one definition for a term, in the sense which it is used is typically obvious from the context in which it appears - but I digress.)
  Apple appropriated the compound term "face time," eliminated the space between the two words, and used it as the name of its video calling app. The original term, however, significantly predates social media. Dictionary.com gives three, somewhat related definitions of "face time." Other online dictionaries list the same three definitions/senses, although some of them order those definitions differently, which is important only because the convention is that definitions are listed in order of the frequency with which they occur in everyday use. (The Urban Dictionary lists several additional slang definitions, most of which are variations on the use of "face time" as a euphemism for oral sex.)
  Before Apple turned it into an app name, "face time" was most often used to mean face-to-face contact, as opposed to voice calls, emails, or other means of communication, and, used in that sense, it traces back to 1990 or thereabouts. (Merriam-Webster traces "face time" used in the sense of celebrities "appearing in front of the media or on television" to 1978, but that usage was basically confined to the entertainment industry and its associated publications.) Apple's useage is an attempt to equate video calling with face-to-face conversation for millenials and grandparents.
  Facebook derived its name from the "facebooks" of campus fraternities and sororities, which are a kind of cross between a yearbook and a membership roster for participants in fratority life. (It's kind of ironic that the social media company is so aggressive about throwing cease-and-desist orders at commercial uses of the words "face" or "book" by other online sites, when the fact is that Zuckerberg appropriated a widely-used campus slang term for his own company's name - but I don't think that guy is capable of appreciating, or even understanding irony.)
  What you're bemoaning is the narcissism and self-involvement of smartphone-and-social-media users (the ranks of which are not exclusively confined to milennials, although they do make up its largest sub-demographic). I think it's a legitimate concern, but what I take issue with is your assumption that these face-plus-whatever compound terms derive from a focus on the individual self that is somehow reflective of a cultural sea change.
  I don't think it is. I think people have always been self-absorbed, going all the way back to Lucy. Every creative person I've ever met certainly is (to be an artist, you pretty much have to be a narcissist, because your choice of profession is predicated on the bedrock assumption that the works you produce are compelling enough to persuade people to pay you for them). Social media and smartphones have simply enabled and legitimized that fundamental human predisposition - and, unfortunately, helicopter parenting has validated it for the millennial generation.
  We're human. The tendency towards excessive self-involvement is baked into our genes. Learning to resist it isn't easy for any of us - and it's especially hard for kids whose parents insisted on bubble-wrapping them, while assuring them all the while that the smell of their feces is as fresh as a summer ham ...
  
  --
  Check out my novel.
21. Re: How did this happen? by lgw · 2019-01-29 06:59 · Score: 1
  
  That is not a QA process. QA is a profession, with skills and mindset all its own.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
22. Re: How did this happen? by cyber-vandal · 2019-01-29 07:10 · Score: 1
  
  Android has way more exploits than iOS in the wild due to the wholly inadequate update system. Open source software in general has had its fair share of bugs too.
23. Re:How did this happen? by antdude · 2019-01-29 13:11 · Score: 1
  
  What about mic(rophone)s? :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
24. Re:How did this happen? by ayesnymous · 2019-01-29 20:32 · Score: 1
  
  How will the DevOps proponents explain this?
25. Re: How did this happen? by bill_mcgonigle · 2019-01-30 05:48 · Score: 2
  
  IFF Facetime were a TNO platform, it would be fairly straightforward to ensure that all data that traverses from point A to point B in the software is encrypted. If it's not encrypted, nothing hits the network event loop, and unit tests make sure of it.
  Facetime, of course, isn't TNO, it's "Trust Apple". They manage your keys, not you, and they are to be trusted with closed-source to not screw that up. There's no regularized enforcement of sensitive data always being encrypted (obviously).
  A "paranoid" e2e-encryption programming pattern actually does help to improve development so these particular types of errors can be avoided. But to get them, Apple would have to give up some control, and users would have to take some responsibility.
  That isn't Apple's market, so these slip-ups are to be expected occasionally.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
typo by astrofurter · 2019-01-28 18:13 · Score: 3, Funny

There is a typo in the headline. It should read: "A Feature in FaceTime Allows One To Access Someone's iPhone Camera And Microphone"
1. Re:typo by Tsolias · 2019-01-28 23:35 · Score: 1
  
  "A Feature in iOS Allows One To Access Someone's iPhone Camera And Microphone and record everything"
  ftfy.
  Facetime devs did nothing wrong. They used this feature(it's not a bug) to improve their normie user experience.
2. Re:typo by Carewolf · 2019-01-29 01:23 · Score: 1
  
  There is a typo in the headline. It should read: "A Feature in FaceTime Allows One To Access Someone's iPhone Camera And Microphone"
  That is why smartphones should never be tolerated in the same room as anything confidential is discussed. Even if this wasn't a "flaw" in Apples own software, it could have been a "flaw" in any number of apps.
3. Re:typo by JaiWing · 2019-01-29 03:29 · Score: 1
  
  the manufacturer that makes a phone with a hardware switch between the physical camera and physical microphone will get my money.
Terrible link by Quato · 2019-01-28 18:16 · Score: 1

I remember when Slashdot had articles that were not clickbait articles with no content and screenshots of other sites. Can't they at least find a semi-respectable source.
Programmers that are trying to make things work by raymorris · 2019-01-28 18:23 · Score: 4, Insightful

Programmers who are accustomed to desktop applications, where there is one user, are in the habit of making things work. You click the button, it does the thing. Somebody calls someone else, they can see and hear each other.
Many of the "omg how stupid can you be?!" bugs are of the "make sure it does NOT work when it's not supposed to" variety. Once you connect an application to the internet, you have to think in terms of when things should NOT happen and test for that. Programmers who learned writing Windows desktop apps don't think in that frame of mind.
For decades one of the most popular sayings in programming was "garbage in, garbage out". That's no longer an acceptable way of thinking. That garbage that comes out, random bytes from RAM, can include your private key. Once your application is on the internet, it has to be "garbage is the default thing I'm expecting, and leads to DENIED out. Only if input exactly matches the specification will you get anything out". It's a different way of thinking.
1. Re:Programmers that are trying to make things work by Anonymous Coward · 2019-01-28 20:44 · Score: 1
  
  Programmers who are accustomed to desktop applications, where there is one user, are in the habit of making things work. You click the button, it does the thing. Somebody calls someone else, they can see and hear each other.
  I think it's more a time crunch to make it work than anything else. Remember, the group FaceTime feature was supposed to be one of the headlining features of iOS 12. It was supposed to be a big deal, showing how much better Apple technology is than Android, at least based on the Apple WWDC keynote. (No, I don't understand why anyone would want a group video call feature, or how this makes iOS better than Android when there are a thousand cross-platform apps that do group video already. But the Apple execs at the WWDC keynote sure seemed to think it did.)
  It was delayed for unspecified reasons and only showed up in 12.1. (Which is why this only affects phones running 12.1.) So presumably some edict came down from higher ups to just make the thing work because they missed their delivery date. Which means you're right, the mindset was presumably "make everything work" and not "ensure that things that shouldn't work don't work" but I'm not sure I'd call that a "desktop mentality." Writing negative tests is hard. It's easy to enumerate "things that should happen," it becomes harder to enumerate "things that shouldn't," because ultimately, things a program shouldn't do is sort of an infinite set.
2. Re:Programmers that are trying to make things work by Anonymous Coward · 2019-01-28 23:00 · Score: 2, Informative
  
  For decades one of the most popular sayings in programming was "garbage in, garbage out". That's no longer an acceptable way of thinking. That garbage that comes out, random bytes from RAM, can include your private key. Once your application is on the internet, it has to be "garbage is the default thing I'm expecting, and leads to DENIED out. Only if input exactly matches the specification will you get anything out". It's a different way of thinking.
  I think you are completely misunderstanding what "garbage in, garbage out" means. It never ever means "output random bytes from RAM". It means that if you mean to ask a program for the function of a perfectly valid input but accidentally give it a completely different but perfectly valid input, then the program responds with the function of the input you ACTUALLY gave it rather than the one you intended.
  What you're claiming (as opposed to what you're intending to claim) is that if I take a calculator and type in sqrt(82) it should display "DENIED" because the calculator should somehow just know that I had meant to type sqrt(28).
  It sounds like you are referring to the concept of "undefined behaviour", which is unrelated to GIGO.
3. Re:Programmers that are trying to make things work by spire3661 · 2019-01-29 03:21 · Score: 1
  
  You fundamentally misunderstand the phrase 'Garbage in, Garbage out'.
  
  "GIGO (garbage in, garbage out) is a concept common to computer science and mathematics: the quality of output is determined by the quality of the input."
  
  --
  Good-bye
4. Re:Programmers that are trying to make things work by DarkOx · 2019-01-29 03:50 · Score: 1
  
  GIGO - means nothing more and nothing less than that you can never expect valid output (with the possible exception variations on "ERROR Invalid entry" ) unless you have valid inputs.
  In the past on single user system or even on more restrictive shared systems there were lots of places where it was "acceptable" to just apply whatever algorithm your program does to the input and produce the outputs.. Were expected a an integer and someone sends the string 'A' well guess what that is still the bytes 65,00,?,? and that is still going to be 10905????? something as an integer. So you can still do math on that... The results are meaningless but so what..
  On connected shared systems that might be a problem if it messes up others data, where as before you were only the victim of your own carelessness. To that end YES if you are implementing an program that is network connected you DO have some additional responsibility to perhaps not behave unpredictably even with invalid inputs or invalid combinations of inputs. You need to send that Error or do nothing as appropriate.
  So the GP isn't fully wrong here.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I CANNOT believe this shit happened! by Anonymous Coward · 2019-01-28 20:03 · Score: 1

Get Federighi the fuck OUT! Whoever is in charge of software at Apple has got to fucking go! Their only competitive advantage against Google is the privacy angle, and then they pull some shit like this? Not to mention Swift is an unstable piece of shit that breaks your codebase every six months, and Xcode being trash doesn't even need to be said, that's a given. Oh, they're focusing on services now right, well, Apple Music is constantly buggy with regressions seemingly every update. Something is ROTTEN at Apple! Remove Cook if necessary. Save company before it's too late!
The time when Apple wrote better software by ReneR · 2019-01-28 22:00 · Score: 3, Insightful

is unfortunately long over: https://twitter.com/search?q=p... :-/ RIP
1. Re:The time when Apple wrote better software by CapS · 2019-01-29 06:20 · Score: 1
  
  The time when *any* company wrote better software is over. Seriously every day it seems like there is another security flaw. Facebook's flaw that allowed you full write access to anyone's profile, Google+ being complete shut down due to security flaws, the ton of Windows 10 issues all come to mind.
A Bug In Slashdot... by 6Yankee · 2019-01-29 02:25 · Score: 1, Funny

A Bug In Slashdot Allows Msmash To Write Ridiculous Overkill Headlines With This One Weird Trick And The Internet Is Losing Its Mind
Second Link?? by jgrimard · 2019-01-29 04:02 · Score: 1

Whats up with your second link???
All iPhones national security hazards. by Mal-2 · 2019-01-29 04:36 · Score: 2

It doesn't really matter if it gets patched in FaceTime. If Apple can do it in one app, deliberately or not, then someone can do it with a crafted app. It has to be assumed that anyone with an iPhone can potentially be listened to and watched at any time. Those involved in handling information of a sensitive nature need to act accordingly.
Note, this is not to say other types of phones aren't exploitable in exactly the same way. That also needs to be checked out before just switching everyone over to something else.

--
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
1. Re:All iPhones national security hazards. by min9000 · 2019-01-29 06:56 · Score: 1
  
  The issue was so serious that Twitter CEO Jack Dorsey, and even Andrew Cuomo, governor of the state of New York, weighed in and urged their followers to disable FaceTime. [...] That's bad news for a company that's been vocal about privacy and customer data protection lately. The timing couldn't be worse, given that Apple is set to host its earnings call for the October-December quarter of 2018 in just a matter of hours. https://notepad.software/ https://downloader.vip/malware... https://filezilla.software/
Old fashioned switches by edi_guy · 2019-01-29 05:45 · Score: 2

People would make fun of the fact that in Star Trek TOS they had all these toggle switches, had to insert data cards, etc. Then in TNG it was all screen displays and touch panels. Buu recall multiple times in TNG the crew got locked out of the ships computer, warp coils would go crazy, and so forth. They had to crawl through Jeffries Tubes to find a junction, but again the hatch seals were all touchpad controlled. It was madness. But if you were on TOS, just flip a switch and the circuit was cut, no problem.
Phones will eventually get a physical switch to turn stuff like cameras, microphones, GPS off. Just like you can turn off your alerts. Won't happen immediately, and design aficionados will resist. But there will be some big reveal in the future about how these things are mis-used and the switches will start appearing.