January 31, 2019
News site 9to5Mac reported that Apple’s FaceTime app, which places audio/video calls over the Internet, had a significant bug: an iPhone user could call another iPhone user and eavesdrop on that person’s conversation through the phone’s microphone — even if the call recipient doesn’t answer the call. The bug was actually discovered a full week before Apple disabled Group FaceTime and stated that it was working to fix it. In that gap, a developer discovered the bug, which was reported in 9to5Mac. Security researchers have dubbed the glitch FacePalm.
The New York Times reports that, “on Monday night, Apple said it had disabled Group FaceTime, the feature that was causing the glitch.” The glitch is especially embarrassing for Apple, which “has long positioned itself as a protector of user privacy offering more secure devices than its rivals.” It also comes as Apple “is set to report disappointing financial earnings.”
Apple has stated that it has already “identified a fix that will be released in a software update later this week.” Meanwhile, officials, including New York governor Andrew Cuomo, “urged FaceTime users to temporarily disable the app.”
Elsewhere, NYT describes how the glitch was actually reported a week before by 14-year old Grant Thompson, whose mother reported it to Apple. But the company didn’t act until a developer discovered the bug, which was then reported by 9to5Mac, a series of events that raised concerns “about the company’s commitment to security.”
Security researchers suggest that, “Apple’s security team should have known better.” “If these kinds of bugs are slipping through, you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught,” said Digita Security co-founder Patrick Wardle, whose company focuses on Apple security. Although Apple stated it found a fix for the glitch, it “has not addressed how the flaw passed through quality assurance.”
NYT adds that, “there is a healthy market for bugs and the code to weaponize them, which allow governments, defense contractors and cybercriminals to invisibly spy on a person’s device without their knowledge.” The FaceTime flaw, thus, was likely worth millions of dollars to brokers, who would sell it for more money to “governments, and intelligence and law enforcement agencies around the world.”
Some brokers will sell to buyers on the dark web, with the caveat that “hackers must promise never to disclose the flaw to the vendor for patching, so that buyers can keep their access.” The value of Apple glitches has skyrocketed, with broker Zerodium now offering $2 million for an Apple iOS bug.
To compete, in 2016, Apple said it would “start paying rewards as high as $200,000 to hackers who responsibly turned over crucial flaws in its products.” Hackers, however, can “make multiples of that bounty on the black market.”