Apple fixes FaceTime eavesdropping bug, but other flaws may remain

Apple issued security updates for OS X and iOS yesterday. Have you downloaded and installed them?

Perhaps you should, because there are a number of serious vulnerabilities addressed that – if left unpatched – could leave your privacy and security in peril.

One of the flaws particularly caught my eye, because it’s easy to imagine how it could be abused by law enforcement and intelligence agencies to spy on targets without their knowledge.

The CVE-2016-4635 vulnerability could allow an unauthorised party to continue to listen in to a FaceTime call after the chatting parties believe it has concluded.

In other words, someone calls you. You think the call has finished. But in fact, without your knowledge, someone is continuing to listen in to you via your Mac or iPhone’s microphone.

Any vulnerability which suggests that iPhone and Mac users could be spied upon because of a security hole like this raises the spectre that it could be exploited not only by online criminals and fraudsters, but also by over-reaching governments.

And that’s something that Apple appears to feel very strongly about, attempting to distance itself from some of its competitors with its defiant stance against government overreach, as most recently demonstrated in its refusal to crack the San Bernardino iPhone.

Apple drily described the FaceTime vulnerability as follows in their security advisory issued yesterday:

FaceTime
Available for: OS X El Capitan v10.11 and later, iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated.

Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.

More details of the nature of the flaw, which was announced as part of a security update which saw some 35 fixes for OS X El Capitan and over two dozen for iOS, have not yet been released, but discovery of the vulnerability is credited to self-proclaimed security geek Martin Vigo.

I went to Martin Vigo’s website expecting to see more details of what the vulnerability entailed, seeing as a fix had now been issued by Apple. But there was nothing to read about it.

Worryingly, on his Twitter account Vigo says that he has not written about the now-fixed Facetime vulnerability because there are “other related vulnerabilities still to be fixed.”

Although it’s good that Apple has apparently fixed this FaceTime snooping vulnerability, it’s alarming to hear that there may be other as-yet-unpatched vulnerabilities still to be addressed by Apple’s security team.

Maybe those of us who rely upon FaceTime for secure communications would be wise to tread a little carefully until more is known.