Industry News Mobile & Gadgets

Update your iOS devices now against the FaceTime eavesdropping bug

Last week a bug became such big news that it broke out of the technology press, and into the mainstream media – generating headlines around the globe.

The reason? A bizarre bug had been discovered in the way iPhones and iPads handled Group FaceTime calls meant that someone could potentially listen and even see you *before* you answered an incoming call.

https://twitter.com/BmManski/status/1089967572307640325

As news of the flaw spread like wildfire on social media, Apple said it would fix the problem “later in the week” and made a change server-side that temporarily disabled all Group Facetime calls to prevent others from being at risk (much to the irritation of those hoping to prank their friends.)

The bad news for Apple grew as it not only failed to release a patch within its original estimate, but it was also revealed that a 14-year-old boy had separately discovered the problem a couple of weeks earlier, and had received no response when he attempted to report the bug to the tech giant.

Two members of the US Congress wrote to Apple CEO Tim Cook, demanding answers as to why the company had not acted immediately when the vulnerability was discovered, and how it was planning to address any harm caused to consumers.

House Energy and Commerce Committee Chairman Frank Pallone and Representative Jan Schakowsky claimed that Apple was failing to be transparent about what they described as a “serious issue.”

Meanwhile, New York Governor and Attorney General announced that they would be launching a probe into Apple’s failure to warn consumers.

Personally I do think that Apple dropped the ball somewhat in failing to take the 14-year-old’s bug report seriously when they first received it, but I find it hard to accept that the company didn’t act quickly when it understood the privacy-breaching nature of the problem.

Within hours of videos spreading rapidly on social media, and the first news reports of how to exploit the vulnerability, Apple had shut down all Group FaceTime calls – preventing others from abusing the bug.

And yes, obviously in an ideal world it would have had an iOS patch ready to roll out the next day – but the worst thing in the world would have been for Apple to have been rushed into issuing a fix that didn’t properly remediate the issue or – worse – introduced yet more flaws.

Sometimes it takes a while for code to be properly tested and quality controlled. As there was a no way for anyone to exploit the bug with Group FaceTime disabled it seems reasonable to me that Apple has only now issued an updated to iOS, iOS 12.1.4, which fixes the problem.

The update also fixes a number of other security issues, including two zero-day flaws discovered by researchers working for Google.

For many iPhone and iPad users the update will be automatically installed, but – if you want to make sure that you are protected – follow these instructions:

Click on Settings > General > Software Update, and choose Download and Install

And as for Grant Thompson, the 14-year-old high school student who first discovered the flaw? He appears to have been credited in Apple’s security bulletin about the flaw, just as any other security researcher would be.

Smart kid.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Thank you for this. This is all well and good but thus far Apple has failed to address the problem of losing cellular and/or WiFi access starting with 12.0.1. I wouldn’t update until they do.