Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Says It Will Fix The FaceTime Bug That Allows You To Access Someone's iPhone Camera And Microphone Before They Pick Up (buzzfeednews.com)

Posted by msmash on from the up-next dept.

Apple said Friday morning that it had a fix for a bug discovered in Apple's video and audio chat service FaceTime this week, which had allowed callers to access the microphone and front-facing video camera of the person they were calling, even if that person hadn't picked up. The security issue is fixed on its servers, the company said, but the iPhone software update to re-enable the feature for users won't be rolled out until next week. From a report: "We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," Apple said in an emailed statement to BuzzFeed News. "We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process."

35 of 63 comments (clear)

  1. Thanks Apple! by 110010001000 · · Score: 2

    Thanks. It is nice to get these small issues fixed.

    -SuperKendall

  2. Is anyone really that supprised? by jellomizer · · Score: 4, Interesting

    Sure it is a big deal security lapse from Apple. So the received/found the problem, analysis the scope of it, stopped the service, sent out communication about the problem. Now they are applying a fix.

    It seems like a responsible course of action.

    I am sure people who hate Apple, because they were beaten up by a hipster a few years ago, will still fault Apple, and make them seem like a pile of idiots who cannot code themselves out of a paper bag. But these things happen, I am actually surprised it doesn't happen more often.

    I am sure all you programmers out there who are smug that their code never got hacked. But is it really skill, or just being lucky, or your program isn't just that popular enough. It can often just be a bad day where your code has a security flaw in it, and coded so it would be difficult for the QC to find it. However within weeks of it being public it was was found as a problem. I myself never had my coded hacked, however this isn't a reason to pat myself on the back, or be smug and judgemental, as I have fixed things in my own code that could had been bad if I didn't catch it. And I never know what else I may have open.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Is anyone really that supprised? by 110010001000 · · Score: 3, Insightful

      I'm not sure how you make a program that accesses the camera and microphone before you click the "answer" button. That is pretty basic stuff.

    2. Re:Is anyone really that supprised? by Solandri · · Score: 2
      Agreed that there's nothing surprising about this. I'm not sure what else submitter expected. "Apple announces it will not fix Facetime bug"?

      I am sure people who hate Apple, because they were beaten up by a hipster a few years ago, will still fault Apple, and make them seem like a pile of idiots who cannot code themselves out of a paper bag.

      I can't speak for everyone. But I hate Apple because they take away your freedom of choice and expression, under the guise of trendiness and security.. In the early 1990s, companies tried to corral us into walled gardens for online access (GEnie, CompuServe, AOL; MSN was originally Microsoft's attempt). We fought hard to make the open Internet the standard for networked communication, where anyone could make any content they wanted available to anyone else in the world, without needing the approval from some corporate or government dweeb. It's painful to watch people naively give up those freedoms and willingly walk into walled gardens like iOS and Facebook because it's the cool thing to do and all their friends are doing it. (I'd include Google, except they at least try to make it easy to get your info in and out, like how you can use alternate stores to get Android apps, not just the Google Play store. So they're more like a garden with open borders.)

      Maybe if the Cold War hadn't ended, things like the Berlin Wall would have remained to serve as a metaphor. So people would be more cognizant of what you're really giving up when you choose to live in a walled garden.

    3. Re:Is anyone really that supprised? by chispito · · Score: 1

      I am sure all you programmers out there who are smug that their code never got hacked. But is it really skill, or just being lucky, or your program isn't just that popular enough.

      I have no opinion of what the bug says about Apple. But, just to clarify here, this was not a case of their product being "hacked." All that was required to exploit it was to dial somebody and, while ringing, add them to an existing group conversation (or something similar).

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:Is anyone really that supprised? by chispito · · Score: 1

      Any other time when my phone in on my person, I'm going to know when somebody tries a face time call.

      You never put your phone on silent? Say, in an important meeting so you are uninterrupted? I mean, there are other times one might not want to be interrupted nor eavesdropped...

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    5. Re:Is anyone really that supprised? by bobbied · · Score: 1

      It may sound unrealistic, but no, I actually do not have my phone on my person most of the time during the business day. I generally set it to forward voice calls to my office phone and power it off. I don't like the distractions it presents.

      Also, the only time outside business hours when my phone could ring w/o me knowing it is when I'm asleep as it's on the night stand, on silent being charged. At all other times it's either set to ring, or if on silent it's in my pocket on vibrate.

      So, for me, it's not a significant security risk to have somebody listening for the 10 seconds it takes for a face time call to be redirected to voice mail. They won't hear anything but my snoring w/o my knowledge. Where that might be funny to some, it's hardly a risk to me.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    6. Re:Is anyone really that supprised? by Sponge+Bath · · Score: 1

      Buggy implementation of backdoors for governments.

    7. Re: Is anyone really that supprised? by cyber-vandal · · Score: 1

      The only alternative is a giant shady organisation monitoring everything you do online. Not at all Orwellian.

    8. Re:Is anyone really that supprised? by sjames · · Score: 1

      A responsible course of action would be to fix the bug by making the client wait for the called party to answer before making the microphone and camera hot no matter what the server says.

      Apple says they fixed this on the server. That is, the client still makes the mic hot before you answer, it's just that the server doesn't relay it. No app should transmit your microphone or camera without some affirmative action from you commanding or permitting it. Anything else is irresponsible.

    9. Re:Is anyone really that supprised? by sjames · · Score: 3, Interesting

      Congratulations, you are a small minority who couldn't be affected significantly by the bug. Now is the time for you to use your imagination and recognize that you are a small minority in that regard.

    10. Re:Is anyone really that supprised? by sjames · · Score: 1

      Mod parent up!

    11. Re:Is anyone really that supprised? by bobbied · · Score: 1

      And what then? You expect to be blackmailed or fired for filling a toilet?

      LOL..

      Personally, this is much ado about nothing.. The calls would be logged on your device and be limited to about 20 seconds max... However, if one thinks it's a huge risk, then I would ask if you think it's wise to carry a cell phone at all? IF this kind of recording represents a serious security problem for your personal or professional life, you might want to turn off the cell phone and keep it locked in a faraday cage when doing such sensitive things.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    12. Re:Is anyone really that supprised? by sjames · · Score: 1

      Personally, I don't own an iDevice, so no facetime. But I do have enough imagination to realize that there are people besides me in the world and their circumstances may be different.

  3. Re:On The Servers... by LynnwoodRooster · · Score: 1

    You're under the false impression that the user owns the phone; the actual owner (Apple) can choose to do with it as it wants, including letting their servers decide when your sensors are active.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  4. QC needs some help by Anonymous Coward · · Score: 1

    You know it's bad when a 14 year old with no coding experience discovers a major security flaw bug a multi billion dollar tech company couldn't find, emails it to Apple tech support, then nothing happens for a week till it's headline news. People aren't going to keep buying into this North Korean business model if the prices continue to rise faster than hardware quality and the redeeming quality of security is reduced to being seen as far less secure.

  5. Re:On The Servers... by bobbied · · Score: 2

    Well, the application already has permission to activate the camera and microphone, otherwise the "server" wouldn't have the ability to cause them to be activated.

    So this isn't the fault of the phone or the server. Nor is it the fault of Apple's security model. It's the fault of the face time app. The face time app should never enable the microphone or camera until the user answers the call, regardless of what the server does.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. Re:Buzzfeed as a source on /. by Oswald+McWeany · · Score: 1

    Oh, how the mighty have fallen.

    I don't know... I get most of my tech news from websites built on the readership of angry vegan teenage lesbians.

    --
    "That's the way to do it" - Punch
  7. Owning the hardware by sjbe · · Score: 3, Insightful

    You're under the false impression that the user owns the phone; the actual owner (Apple) can choose to do with it as it wants, including letting their servers decide when your sensors are active.

    They do own the phone. The hardware is theirs and Apple cannot get it back. The SERVICES and software the phone uses are not owned by the user. They license or subscribe to those and whatever terms come with them. Yes, these are necessary for the device to be useful but that is a separate discussion from who owns the hardware. This is yet another example of why Apple is a software company, not a hardware company. The hardware is just the pretty box through which they sell their software and services.

  8. Do they collect? by bogaboga · · Score: 2

    "We thank the Thompson family for reporting the bug.

    From all the billions [of dollars] in profit Apple makes, I wonder whether this family will collect. Anyone know?

    That mere "thank you" message from Apple is anemic in my opinion.

    1. Re:Do they collect? by avandesande · · Score: 1

      Collect what? They would have to prove harm in a lawsuit.

      --
      love is just extroverted narcissism
    2. Re:Do they collect? by bogaboga · · Score: 2

      Collect what? They would have to prove harm in a lawsuit.

      Collect a reward in form of cold hard cash.

      Apple can surely afford this with zero palpable hit to their bottom line. No need for a lawsuit.

      I also think it'd be good publicity if they did pay up something, no?

    3. Re:Do they collect? by Gilgaron · · Score: 2

      Maybe a Bug Bounty, if you give out money for non-policy/predefined reasons the choosy beggars are going to come out of the woodwork.

  9. It's not a bug by JoeyRox · · Score: 4, Funny

    It's a predictive video and audio caching algorithm. iOS 13 is rumored to add a feature that will pre-shatter your screen when the accelerometer detects the phone is falling.

  10. What do they want, a cookie? by spiritplumber · · Score: 1

    I don't like to play entitled, but this sort of bug is the sort of bug that you stay up all night to fix immediately.

    --
    Liberty - Security - Laziness - Pick any two.
    1. Re:What do they want, a cookie? by dgatwood · · Score: 1

      No, we did fine without group FaceTime for years. This is the sort of bug where there right thing to do is shut it down (as they did) and not turn it back on until they’re certain that they have it right. If that takes a week, fine. If that takes a year, also fine. You do not screw around with these sorts of things.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  11. Re: The KGB Exploit: Donald TRUMP by drinkypoo · · Score: 1

    Both candidates knew the rules of the games before they played, so fair is fair and like it or not,Trump won fairly.

    What? No he didn't. Even if Trump didn't know about it (which is unlikely, but let's posit) his campaign definitely colluded with Russia to manipulate the election illegally. There's nothing fair about that.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Re:On The Servers... by dgatwood · · Score: 1

    So this isn't the fault of the phone or the server. Nor is it the fault of Apple's security model. It's the fault of the face time app. The face time app should never enable the microphone or camera until the user answers the call, regardless of what the server does.

    Chances are that this is something silly, like incorrectly assuming that a group connection request is a new person being added by someone in the group already, who therefore should be connected immediately, while failing to check if the group is actually connected yet.

    Still, this makes me seriously question whether Apple’s aggressive push to hire so many junior employees straight out of college is having a major negative impact on their code quality. After all, this required two different teams to write code that fails to check state properly. The client should have refused to connect the stream before the call was established, and the server should have refused to ask for one. Two *different* teams at Apple failed to care enough about customer privacy to make sure that FaceTime couldn’t become a tool for spying on users.

    This doesn’t point to a minor problem, but rather, suggests a fairly fundamental problem in the protocol (the server not knowing the state of the connection). Of course, there’s no way to know for sure, because Apple never published the FaceTime communication protocol like they said they were going to. Odds are, this flaw would have been prevented had they put security above their proprietary nature and published it as an open specification during the product development cycle. And this, boys and girls, is why proprietary protocols are bad.

    Either way, this is one seriously bad mistake that could only happen if a *lot* of employees were *all* grossly negligent about security and failed to understand basic threat modeling. So this sounds to me like a major systemic problem that needs to be fixed from the top down with real leadership. Mr. Cook, it’s time to step up.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  13. DO NOT USE by sjames · · Score: 1

    The report on the "fix" reveals a fundamental design flaw. They say they fixed the issue ON THE SERVER.

    That means the CLIENT on the phone is expected by design to start sending audio and video as soon as a call comes in (before you answer).

    If it was anything like properly designed, the client would never under any circumstances transmit from the mic or the camera unless and until the called party chooses to answer.

    1. Re:DO NOT USE by sjames · · Score: 1

      The transfer would still be the server telling a client device to make the mike and camera hot. In that case, the client should more or less park the call until the user affirmatively presses a button in the app ON the receiving client device before it makes mike and camera hot. End of story. There should be no way for the server to make the mic hot for any reason.

      Further, the bug demonstrated was a bit different. I call you, then I add someone else to the call and your mike goes hot even if you don't answer. That is not me transferring the call.

      TL;DR: if they "fixed" it on the server, they didn't fix it at all, they just papered over it.

    2. Re:DO NOT USE by bill_mcgonigle · · Score: 1

      Important point - thanks.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  14. Really? by DontBeAMoran · · Score: 1

    So a patch for iOS7 for my iPhone 4 will be available soon?

    --
    #DeleteFacebook
  15. Re: On The Servers... by gnc20 · · Score: 1

    is it really skill, or just being lucky, or your program isn't just that popular enough. It can often just be a bad day where your code has a security flaw in it https://audacity.onl/ https://findmyiphone.onl/ https://origin.onl/

  16. Re:On The Servers... by bobbied · · Score: 1

    As complex as these applications are and with as many hands involved in development of them, I find it encouraging that they have so few serious bugs..

    Where I get that such things shouldn't make it into prime time, the reality is that any large complex development project with as many moving parts as this application has, it's *really* hard to always catch all these things. Hiring inexperienced engineers may be an issue, but even hiring developers with 30 years of development experience in untra-secure environments doesn't fix the problems either. Sometimes, stuff happens, folks make mistakes, nobody thinks of the unique set of events or development of new features isn't fully integrated into the application's design in security. Humans make mistakes.

    I'm not giving Apple a pass, I'm just saying they are obviously reacting correctly and you can bet they will revisit their security testing processes to find and correct the process that lets this mistake into the production article.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  17. Re:On The Servers... by dgatwood · · Score: 1

    As complex as these applications are and with as many hands involved in development of them, I find it encouraging that they have so few serious bugs.

    I don't. I find it suspicious. When something this serious and easily discoverable (not by hackers, but by end users) makes it out into a released product, I assume that it is just the tip of the iceberg. How many more serious security problems just haven't been discovered yet? And how many of them have been found and are being secretly exploited by groups who don't have any motivation to disclose them?

    The first rule of secure programming is to assume that the client is hostile and is trying to access resources that they are not authorized to access. I can't even begin to imagine how something like this could possibly get into production, because it should have been stopped at least three times, and arguably four:

    • The calling client should not have activated the button that lets you turn a call into a group until the call is connected. Instead, the client activated that button long before it made any sense to do so. This is a sign of sloppy UI design that didn't get adequate vetting, both by programmers and by UI designers. Dozens of people had to miss this one, and it was literally staring them right in the face. Good UI uses button state to tell the user what can be done at a given point in time, and this app obviously didn't do that properly (if at all).
    • The server should have rejected the request to add a connection to a group when the connection was not yet established. Instead, the server deferred all responsibility for security to the client (very, very bad). This complete lack of state tracking on the server side implies server programmers who lack adequate training in writing secure software. This one is unconscionable.
    • The receiving client should not have allowed data to pass from the camera or microphone to the encoder until the user accepted the call. This strongly suggests that the client is also being absurdly non-stateful. A "waiting for user confirmation" state is not the same as the "waiting for server confirmation" state, and the only way you could combine those two would be to keep no state at all, and blindly trust the server. This one is also unconscionable.
    • It should really not even be possible for the server to turn on the encoder. That is a fundamental design flaw. The client should start sending data to the server when an outgoing connection opens, and the server should discard it until it has someone to send the data to. With that much simpler design, turning the camera and microphone on remotely would be impossible.

    Those are three very different bugs at three very different levels of the system — a client UI design bug, a client state machine design bug, and a server failing to check state properly before passing on a request from a hostile client to another client. This wasn't just a failure to think about the edge cases. Rather, this should only be possible if you almost completely fail to design the app or the server at all. And that's the best case scenario. There might be even deeper design flaws, like using the same message to trigger two different client behaviors. We can't know for sure, because the protocol is unpublished.

    IMO, there are really only two ways to explain such a comedy of errors: either the programmers who designed this were too inexperienced to be trusted to design a protocol by themselves or the product was rushed to market, resulting in inadequate time for proper design and testing. And the fact that group FaceTime support was almost two months late further supports that assertion. Either way, the root cause is bad management, and the problem needs to be fixed from the top down (read "by replacing people from the top down").

    Well, no, actually there is a third possible explanation. Given the history of various spy agencies attempting to inject remote monitor

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.