A Teenager Tried To Warn Apple About It's Facetime Security Flaw, But Appears To Have Been Ignored
from the go-to-voicemail dept
By now, you've almost certainly heard about the latest big technology security flaw, in which Apple's FaceTime feature contains a bug that allows a caller using FaceTime to hear through the recipeient's phone while the call was still ringing. This obviously has all kinds of people all kinds of freaked out, since the bug essentially turns any iPhone into a short-burst surveillance bug. This has led some to opine that Apple, which has a fairly decent reputation from a privacy standpoint, is at risk of having that reputation torpedoed over this story.
And that might be all the more the case when the public discovers that Apple was informed of this bug by a teenager and his mother in the weeks running up to the press coverage of it, and did nothing about it.
The Wall Street Journal reports that Grant Thompson, from Tucson, was “setting up a FaceTime chat with friends ahead of a ‘Fortnite’ videogame-playing session when he stumbled on the bug”. It was then that Thompson noticed that he could hear audio from friends who had yet to join the call. Grant quickly told his mother, Michele, and the pair spent a week trying to contact Apple to warn them about the issue.
The WSJ say after some calls and faxes they “eventually traded a few emails” with Apple’s security team, but it wasn’t until reports of the bug blew up on Twitter that the decision was made to disable Group Facetime.
This apparently happened a week or so before this all exploded on Twitter and in the media. We've heard stories like this in the past, of course, but it always amazes me that tech companies aren't better about having a unified message across entire companies that staff should want to report this sort of thing up the hierarchy, and those high-ups should jump on addressing these reports both quickly and publicly. Imagine a world where Apple had lauded this teenager for informing the company about the bug and in which Apple had proactively disabled group FaceTime until the bug was resolved? Apple would have come out looking, once again, as though it were looking out for the privacy interests of its users.
Instead, it sure looks like the company was hoping to stick its head in the sand and pretend the bug didn't exist. Or, more charitably, perhaps the company thought it could simply do away with the bug quietly via an update with vague patchlist notes. Either way, it's not a great look.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: facetime, grant thompson, security, security disclosure, warning
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
By iDiots, for iDiots. So glad my wife and I use Android phones instead.
[ link to this | view in chronology ]
Re:
I'm an Android user too, but come on, it's not as if they haven't had their share of security issues.
[ link to this | view in chronology ]
Re:
The only idiot is the one who smugly acts like he's invincible because he has a different brand loyalty.
[ link to this | view in chronology ]
Never attribute to malice...
More like the right folks didn't hear about it for a while. Mom gets a different level of attention than if a known vulnerability research would have made the call. You have to imagine that every tech firm gets their fair share of cranks making bogus claims about vulnerabilities.
Why, just last night my phone's Facebook app was beaming political messages into my brain while I slept!
[ link to this | view in chronology ]
Cut the smart phone. Dumb tablet and old flip phone without gps is a better product.
[ link to this | view in chronology ]
Re:
I'd love to see you administer my infrastructure on the road with that phone.
[ link to this | view in chronology ]
Customer Service scripts are designed to pigeonhole users
I'd be they called up the normal front facing customer service and got the whole, turn it off and on again spiel. Apple has been better about having actual trained people involved in customer support, but even they have a first level wall of untrained script reading bots (human or software) to filter people into the right buckets before sending them on the the people with the right knowledge.
If the script they give to these front line people doesn't include a way to filter the call into the "security issue" or "privacy leak" buckets then it will drop them off into some meaningless phone menu hell.
This is one more symptom of companies not planning for security issues to happen unexpectedly. If no one with agency thinks to include something like this in customer service scripts and no agency is given to the actual front line script readers then there is no way to easily move real security issues up the chain.
[ link to this | view in chronology ]
Re: Customer Service scripts are designed to pigeonhole users
The story says they made phone calls and faxes until they started trading emails with the security team. While it doesn't go into further detail (I would love to see those emails) it does indicate they got past level one support.
To reproduce the issue is three easy steps. 9to5mac.com was able to do it no problem. So this looks like someone on the security team or above made a call not to shut off Facetime while they worked on a fix. Meanwhile it blew up all over Twitter so they had to shut it down before the fix came out.
[ link to this | view in chronology ]
Re: Customer Service scripts are designed to pigeonhole users
They need to add a shibboleet option.
Ever tried to report a BIOS bug to someone? I found it impossible, almost exactly like in that comic (the laptop vendor wanted to debug Windows, which wasn't running; the problem happened before any OS was running).
[ link to this | view in chronology ]
The story(and original source) is light on details. If Grant and his mother were unable to provide steps to reproduce the bug, then this would not be a high priority issue. The reason is without reproduction instructions the report could be mistaken, some insane alpha particle flipped a bit thing, or even a malicious false report. System logs for Apple to dig through can be enabled on iOS, but that doesn't do any good if you never reproduce the bug.
Now if Apple was given explicit steps to reproduce and did nothing, well that's a pretty big egg on their face.
[ link to this | view in chronology ]
And requiring them to sign up for the Apple Developers Program was just a safety measure...
[ link to this | view in chronology ]
That mom and teen are just lucky that the FBI didn't show up to their house to take all of their electronics and arrest them for hacking.
[ link to this | view in chronology ]
Re:
That happens next week, after the media coverage has died down somewhat. The FBI shows up at their house next week.
Since the kid's a "hacker" he gets the 29-agent, 17-vehicle with two amphibious tanks, one helicopter with SWAT rappelling onto the roof, and multiple flash-bang treatment — the treatment that was absolutely not pioneered with CNN's coverage of the Roger Stone arrest. Pretty much par for the course when it comes to "hacker" arrests.
[ link to this | view in chronology ]
Re: Re:
Plus they'll take any cash and anything that looks electronic. I hope they're keeping a backup non-electronic thermostat around, it's cold outside...
[ link to this | view in chronology ]
Re:
I'd like to vote your comment funny, I really would, but given some of the stories that have been on TD in the past I find myself forced to hit insightful/'Sad but true' instead.
[ link to this | view in chronology ]
And Apple would have gotten away with it, too...
If it weren't for the pesky kid.
[ link to this | view in chronology ]
I'm sure the FBI will be raiding his house shortly.
[ link to this | view in chronology ]
Techdirt headlines next week: Apple sues teenager, mother, for creating FaceTime security flaw
[ link to this | view in chronology ]
Apple has been using this "bug" in Facetime to spy on rival companies, steal their ideas etc. Ever noticed how "co-incidentally" Apple has filed a large number of patents JUST before a rival company?
The UK government has recently changed most of its staff to use iPhones. Apple also using this bug to spy on Brexit negotiations, so they can again "co-incidentally" invest in the stock market based on government private discussions, as they then know which companies will get new contracts etc.
It's insider trading all the way from Tim Cook on down it appears.
[ link to this | view in chronology ]
Re:
No, but the history of simultaneous discovery suggests things like that are not rare.
[ link to this | view in chronology ]
I'm just waiting for the news Apples sues the teenager using the CFAA.
[ link to this | view in chronology ]
Ok, YOU are the Facetime product manager at Apple ...
Assume that the issue filters to you as product manager two days after first contact with the "help desk".
You talk to the developers and its 15 working days to design, implement and test a fix, or you can shut down group chat which would affect millions of users.
What would you do?
[ link to this | view in chronology ]
Re: Ok, YOU are the Facetime product manager at Apple ...
Well if you don't want to get fired, escalate.
[ link to this | view in chronology ]
The government sure would have loved to have such a plausibly deniable "flaw" in Apple's tech. I'm not much for tinfoil-hat stuff usually but...
[ link to this | view in chronology ]
"A Teenager Tried To Warn Apple About It's Facetime Security Flaw"
A third grade teacher tried to remind her students that if they can't learn basic English, people would make fun of them when they grew up.
[ link to this | view in chronology ]
Comparisons
"A Teenager Tried To Warn Apple About It's Facetime Security Flaw"
A third grade teacher tried to remind her students that if they can't learn basic English, people would make fun of them when they grew up.
From this juxtaposition we can infer Apple has the maturity and attention span of a classroom of nine-year-olds.
[ link to this | view in chronology ]