Incident Of The Week: Group FaceTime Glitch Exposes Privacy Breach

According to The New York Times, on Jan. 19, a 14-year-old from Arizona discovered a glitch using FaceTime, Apple’s video chatting software — he could eavesdrop on his friend’s phone before his friend had even answered the call.

Fast forward a couple weeks and in a statement, an Apple spokesperson said the company is "aware of this issue and we have identified a fix that will be released in a software update later this week." Until the update is released, users are encouraged to go to their iPhone Settings and disable FaceTime to avoid anyone eavesdropping on conversations or surroundings.

The FaceTime problem has already been dubbed "FacePalm" by security researchers and according to 9to5mac.com (a news site for Apple fans), the bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. This poses a big privacy problem as you can essentially listen in on any iOS user, and the second part is, it can expose video too.

9to5mac.com also outlined how the bug works:

• Start a FaceTime Video call with an iPhone contact.
• Whilst the call is dialing, swipe up from the bottom of the screen and tap Add Person.
• Add your own phone number in the Add Person screen.
• You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
• It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the Lock screen.
• Additionally, if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them.

"If these kinds of bugs are slipping through," Patrick Wardle, the co-founder of Digita Security, told the NYTimes, "you have to wonder if there are other problematic bugs, that other hackers are exploiting, that should have been caught."

The teenager’s mom Michele Thompson wrote in a letter, "My fear is that this flaw could be used for nefarious purposes. Although this certainly raises privacy and security issues for private individuals, there is the potential that this could impact national security if, for example, government members were to fall victim to this eavesdropping flaw," she said.

While, like many tech companies, Apple has a bug bounty program that offers financial rewards for discoveries such as this one, it’s not quite as lucrative as it is for hackers to hang onto this type of information. It’s also important to note that these programs may be obvious for individuals in the security industry, but maybe not so clear for consumers.

Therefor, Marten Mickos, CEO of HackerOne, told CNN that "it's important for companies and government agencies to have a public-facing way to report bugs."

"Even if millions of people find nothing to report, and thousands may report something that isn't really a bug, it still is worth it when just one person finds and can describe the bug," Mickos said.

So, what are the implications for a privacy breach such as this one? So far, a lawyer in Texas has filed a lawsuit against Apple over the FaceTime eavesdropping bug, saying it let someone record a sworn testimony. The lawyer says someone was able to listen in while he was undergoing a private deposition with a client. Regardless of whether or not the case holds up in court, it may just be the start to other allegations waiting to surface for Apple.

Further, Letitia James, the Attorney General of New York, announced on Wednesday afternoon that her office is opening an investigation into Apple’s FaceTime debacle.

In a press release, James wrote:

“New Yorkers shouldn’t have to choose between their private communications and their privacy rights. This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years. My office will be conducting a thorough investigation into Apple’s response to the situation, and will evaluate the company’s actions in relation to the laws set forth by the State of New York. We must use every tool at our disposal to ensure that consumers are always protected.”

And while James is fighting to protect consumers’ privacy rights, when it comes to the enterprise, trying to find data on the size of Apple’s enterprise business is a challenge because it doesn’t often break out enterprise revenue in earnings calls, according to TechCrunch. However, Apple CEO Tim Cook did reveal a number in the Q4 2015 earnings call, which is disconcerting when it comes to privacy in the enterprise:

"We estimate that enterprise markets accounted for about $25 billion in annual Apple revenue in the last 12 months, up 40 percent over the prior year and they represent a major growth vector for the future," Cook said at the time.

Then, in a June 2017 Bloomberg interview, Cook still didn’t provide any numbers, but he did call the enterprise, "the mother of all opportunities," since enterprises tend to buy in bulk, and as they build an Apple support system in-house, it feeds other parts of the enterprise market as companies buy Macs to build custom apps for both internal users and consumers of their products and services.