Archive

Apple fixes FaceTime eavesdropping bug, but other flaws may remain

Apple issued security updates for OS X and iOS yesterday. Have you downloaded and installed them?

Perhaps you should, because there are a number of serious vulnerabilities addressed that – if left unpatched – could leave your privacy and security in peril.

One of the flaws particularly caught my eye, because it’s easy to imagine how it could be abused by law enforcement and intelligence agencies to spy on targets without their knowledge.

The CVE-2016-4635 vulnerability could allow an unauthorised party to continue to listen in to a FaceTime call after the chatting parties believe it has concluded.

In other words, someone calls you. You think the call has finished. But in fact, without your knowledge, someone is continuing to listen in to you via your Mac or iPhone’s microphone.

Any vulnerability which suggests that iPhone and Mac users could be spied upon because of a security hole like this raises the spectre that it could be exploited not only by online criminals and fraudsters, but also by over-reaching governments.

And that’s something that Apple appears to feel very strongly about, attempting to distance itself from some of its competitors with its defiant stance against government overreach, as most recently demonstrated in its refusal to crack the San Bernardino iPhone.

Apple drily described the FaceTime vulnerability as follows in their security advisory issued yesterday:

FaceTime
Available for: OS X El Capitan v10.11 and later, iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated.

Description: User interface inconsistencies existed in the handling of relayed calls. These issues were addressed through improved FaceTime display logic.

More details of the nature of the flaw, which was announced as part of a security update which saw some 35 fixes for OS X El Capitan and over two dozen for iOS, have not yet been released, but discovery of the vulnerability is credited to self-proclaimed security geek Martin Vigo.

I went to Martin Vigo’s website expecting to see more details of what the vulnerability entailed, seeing as a fix had now been issued by Apple. But there was nothing to read about it.

Worryingly, on his Twitter account Vigo says that he has not written about the now-fixed Facetime vulnerability because there are “other related vulnerabilities still to be fixed.”

Although it’s good that Apple has apparently fixed this FaceTime snooping vulnerability, it’s alarming to hear that there may be other as-yet-unpatched vulnerabilities still to be addressed by Apple’s security team.

Maybe those of us who rely upon FaceTime for secure communications would be wise to tread a little carefully until more is known.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • On "Maybe those of us who rely upon FaceTime for secure communications would be wise to tread a little carefully until more is known."

    I don't think that people should expect security/privacy from FaceTime. Unfortunately there is no well-known and freely available private video-calling app out there, but for voice calls I would consider Signal (https://whispersystems.org/) the golden standard that anyone wishing to securely communicate should be using.

  • Facetime should provide end to end encryption to give more privacy to the users. Privacy is an important point that users seek on video calling. Facetime must include an end to end encryption.