
FaceTime bug lets you hear audio of person you are calling before they pick up - uptown
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
======
NelsonMinar
I'm always curious how a bug like this ships. I mean QA & Testing should catch
it, sure. But even before then. Some engineer wrote code for FaceTime that has
it open the microphone before the call is accepted. And transmit the audio
over the network before the call is accepted. Who did that? And why? I'm not
suggesting malice but I do wonder at the lack of defensive programming.

~~~
Someone1234
It reminds me of this MacOS bug from last year, where simply hitting the login
box over and over with no password would eventually bypass the security
entirely:

[https://www.theregister.co.uk/2017/11/28/root_access_bypass_...](https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/)

And this other MacOS bug, also from last year, where the password hint would
contain the plain text encryption password:

[https://www.theregister.co.uk/2017/10/05/apple_patches_passw...](https://www.theregister.co.uk/2017/10/05/apple_patches_password_hint_bug_that_revealed_password/)

All within a month of each other.

~~~
konschubert
Edit: Deleted my comment because I felt it wasn’t constructive.

~~~
pilsetnieks
There was one guy on reddit who had a scare when his computer flashed a
picture of a dead person when shutting down, and he thought his computer was
haunted. It turned out to be a frame from a youtube video he was watching
earlier. It may be that macOS is not that good at clearing out GPU memory
sometimes.

~~~
ben_w
I have the exact opposite problem. When I reboot after system updates, half a
dozen YouTube videos in Chrome tabs start playing over each other on the
password screen. They get through about 20 seconds before I can stop the last
of them.

Audio only on the password screen, but all audible.

------
docbrown
Rumor mill: FaceTime bug was submitted to Apple on 20 January 2019 by a
concerned mother after .. her 14-year-old son discovered it.

>My teen found a major security flaw in Apple’s new iOS. He can listen in to
your iPhone/iPad without your approval. I have video. Submitted bug report to
@AppleSupport...waiting to hear back to provide details. Scary stuff! #apple
#bugreport @foxnews

[0]
[https://twitter.com/mgt7500/status/1087171594756083713?s=21](https://twitter.com/mgt7500/status/1087171594756083713?s=21)

~~~
npunt
Interesting twitter account. First tweet 1/1/19, few followers, mostly
politics, then a major bug report (not only in discovery but in knowing how to
go through the reporting process). Not saying it’s fake at all - it looks 100%
legitimate - but it adds some extra bit of weirdness to this story. Quite the
providence, and a really bad bug. (edited for clarity)

~~~
neya
The genuineness of the Twitter account is absolutely irrelevant in contrast to
the validity of the bug itself.

Apple was reported a high priority bug at a specific time. Who reported it,
how they look like, what their Twitter profile looks like should have no
impact on Apple's bug fixing process and how long/short they took to fix the
bug.

~~~
npunt
Oh I’m not questioning the existence or importance of the bug. It’s important
and a big screwup.

However, I _am_ extra sensitive to the degree to which twitter is being
manipulated for all sorts of ends. Sometimes things look more than a bit
fishy. Usually major bug reports don’t come from 2019’s version of egg avatar
+ letters/numbers username + very recent activity consisting almost entirely
of political posts + past tweets with interactions with obvious political
manipulation bots. That is on the stranger end of things, you have to admit.
To be clear I think it’s real, but also real weird.

~~~
blazespin
What possible motivation would anyone have for reporting a real bug of this
nature like this? Other than, yeah, found a crazy bug.

~~~
npunt
Stock manipulation perhaps? Happens a lot with Tesla apparently, short sellers
will pump up any negative story and try to get it into press. This person was
making several attempts to get in contact with press after all, and a story
about a teenager finding a big privacy bug in a company that publicly touts
its privacy chops has ‘news at 11’ written all over it.

Personally I think a bug report story is not a particularly plausible strategy
for such a thing - this person’s concern seems entirely genuine - but crazier
things have been done for money. I’m relatively skeptical of complaints from
companies about short sellers and bad press, but also recognize that stock
manipulation happens a lot more than most ppl are aware of.

~~~
neya
Is it still called stock manipulation if the bug is critical and for real and
the company deserves to lose shareholder value simply for the critical nature
of the bug?

Imagine how many people are vulnerable out there - I'm already starting to
read some complaints on the internet that some people were unknowingly sharing
a video of them taking a shower, etc.

~~~
tcgv
If you're are in possesion of information with the potential to impact the
stock price when released and you use it in your own favor to try to make a
profit, then I believe it can be characterized as an attempt of stock
manipulation.

------
Jonnax
Security and privacy are two big parts of the marketing for the iPhone.

I'm curious how they can mitigate the reputational damage.

Edit:

It gets worse:

[https://www.theverge.com/2019/1/28/18201383/apple-
facetime-b...](https://www.theverge.com/2019/1/28/18201383/apple-facetime-bug-
iphone-eavesdrop-listen-in-remote-call-security-issue)

If the recipient rejects the call by pressing the power button, it starts
sending video.

~~~
akerl_
Why would this be any more reputationally damaging than the numerous other
bugs with iPhone behavior?

It’s not like iPhones have a reputation for not having bugs; it seems like
every version has a passcode bypass or a DoS-via-iMessage. By some standards,
this is worse (remotely triggerable, leaks audio/video), but in other cases
it’s not as bad: the attacker’s Apple ID ends up in the call logs of the
affected person.

Are there prior examples of any phone manufacturer being reputationally
damaged by vulnerabilities like this? Heck, Samsung’s phones literally caught
fire and they’re still selling phones just fine.

~~~
giancarlostoro
> Why would this be any more reputationally damaging than the numerous other
> bugs with iPhone behavior?

Oh I don't know, someone denied the call because they're possibly in the
shower, or other inappropriate moments. Oh look now they're naked on a video
call... Yikes!

~~~
akerl_
I feel like you're answering a different question that I asked. I don't think
the bug is low-severity.

I'm asking:

Is there any historical evidence that high-severity bugs in iPhones (or really
any mobile phone) are reputationally damaging, sufficiently that Apple would
worry about the impact of this bug?

I'm not aware of any instance in the past where a high-sev iPhone bug had
noticable long-term impact. This is similar to other issues, like the Sony PSN
hack, where despite the gravity of the issue, everything continued long-term
as if nothing had happened.

~~~
nkozyra
> Is there any historical evidence that high-severity bugs in iPhones (or
> really any mobile phone) are reputationally damaging, sufficiently that
> Apple would worry about the impact of this bug?

I'm sure Apple "worries" about any bug and its potential impact on its
reputation, particularly in the area of privacy, where it has a leg up on
Android at least in perception.

That said, what historical bug is up to this one for iOS? This is a big deal
and I cannot recall anything similar.

edit 1: this hasn't exactly been a banner couple of months for iPhone. You'd
expect that mitigating _any_ negative news about the device would be paramount

edit 2: look to Facebook. I find it encouraging that people have reacted so
negatively to a company acting so cavalier with their personal data and
privacy. Yes, I think Apple cares, moreso than with other bugs.

~~~
akerl_
[https://www.zdnet.com/article/ios-mac-flaw-exposes-your-
pass...](https://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-
with-one-image-file/)

Where sending somebody a .tiff file via iMessage, web page, or email would
give the attacker RCE on the device.

~~~
saagarjha
The article slug is misleading, and suggests a fundamental misunderstanding of
the scope of the bug. A RCE in Messages does not allow attackers to steal your
passwords.

~~~
akerl_
The ask from the comment I’m responding to was for comparable vulnerabilities
to this one, since this comment thread is discussing reputational damage from
high-sev vulnerabilities. This vuln gives RCE in iMessage, which is an app
that has microphone/camera access, so I’d say it’s clearly comparable.

------
danra
Apple’s bug handling is broken.

Anyone who has filed a few rdars knows it is thankless work. The amount of
work you have to invest for anyone to even look at your bug is high. In the
instance of this particular bug, I wouldn’t be surprised if at least part of
the reason it took a week and a half to handle since it was reported was that
the initial reply to the reporter was “please send us the exact steps to
reproduce” and then nothing was done until the bug reporter replied back. I
wouldn’t be surprised to learn there were even a few iterations of this, since
I personally experienced it.

Then, your bug gets looked at. But you don’t know anything about its status.
Until anything from a few days to a few months later, it gets closed as a
duplicate. Of course there is no way to know in advance that the bug was
already opened, and that you could save an hour of work time instead of making
a minimal reproducible version of your app which reproduces the bug.

At least, that’s been my unfortunate experience.

/rant

------
smmnyc
Apple has disabled group FaceTime on their end.
[https://www.apple.com/support/systemstatus/](https://www.apple.com/support/systemstatus/)

~~~
timeimp
Oh damn, they can do it just like that?

I thought FaceTime was a P2P thing... but it appears group FT requires Apple's
servers?

~~~
_bxg1
Very few communication services are truly P2P; it's way more likely to have
syncing issues and is virtually impossible without at least a handshake. Even
Signal, which does have syncing issues due to being mostly P2P, requires a
server for the initial handshake.

~~~
acchow
Especially on mobile, where you want to conserve battery life.

------
kimburgess
It may be entirely unrelated, however this is the exact sort of behaviour you
would expect to see associated with providing compatibility with Australia's
newly introduced AABill, or to implement GCHQ's ghost participant proposal
([https://www.lawfareblog.com/principles-more-informed-
excepti...](https://www.lawfareblog.com/principles-more-informed-exceptional-
access-debate)).

~~~
rjf72
The bizarre thing is how little people seem to have paid attention to Snowden.
Apple joined the NSA's PRISM program in 2012. [1] PRISM enables the government
to access data from participating companies including audio, video, and _live_
chat. I'm linking to Wiki there only as a catalogue of sources. The page
itself is useless and has overtly fake (though at least mildly amusing) quotes
from Google. There's no need for new bills for these sort of issues to be a
concern.

I also tend to agree with you that this is not necessarily related to these
programs. The reason I mention this at all is because I think there is a
reasonable chance that this is related, that this overall issue is very
important, and that the amount of cognitive dissonance on this is surprising
and regressive. These programs are real. Companies facilitating access,
including real time, to your data and "private" conversations is real. And it
seems to only be getting worse. Yet people seem to convince themselves
otherwise, including throughout this thread. Part of the reasons these
programs are able to carry on mostly unchallenged is because people convince
themselves that what is happening, is not.

[1] -
[https://en.wikipedia.org/wiki/PRISM_(surveillance_program)#M...](https://en.wikipedia.org/wiki/PRISM_\(surveillance_program\)#Media_disclosure_of_PRISM)

------
0x0
That's a pretty huge flaw. Millions if not billions of people can suddenly
remotely spy on almost any other ios or mac anywhere in the world, just by
knowing their email address or phone number?

Perhaps Apple should simply pull the plug on the facetime servers for now.

~~~
stcredzero
_That 's a pretty huge flaw. Millions if not..._

Is it just me, or is such a phrase applicable to Apple far too many times in
the past several years? I think their engineering is losing quality or is
falling behind on what they have to cover.

~~~
JeremyBanks
Comparable examples?

~~~
stcredzero
Just off the top of my head: I think on three separate occasions, specifically
crafted text messages have made the Messages app disappear from iOS, requiring
a reboot. There was a comparable MacOS login bug not too long ago.

------
shiado
Perhaps their NSA PRISM code got mixed up with their user facing code? I'm not
just joking, we all know Apple only pays lip service to privacy and got caught
red-handed during the Snowden leaks.

VOIP is indeed listed. [https://cdn.vox-
cdn.com/thumbor/6r9jLyDaTuh8MlCgiL-9Uq588TQ=...](https://cdn.vox-
cdn.com/thumbor/6r9jLyDaTuh8MlCgiL-9Uq588TQ=/0x0:700x525/1820x1213/filters:focal\(294x206:406x318\):format\(webp\)/cdn.vox-
cdn.com/uploads/chorus_image/image/61159115/prism-slide-4.1419979622.0.jpg)

------
joeblau
I just called my friend who was already on a call talking to his brother. He
could hear me and his brother but his brother and I couldn't hear each other.

I was also able to call him, have him hang up and then see his video and hear
his audio. He couldn't hear me, but I could hear and see everything.

I'm turning my phone off tonight!

~~~
argsv
is it not enough to disable FaceTime for the time being?

~~~
omaranto
It probably is, but when you are freaked out you want certainty.

~~~
jimmaswell
Better remove the battery too. [https://www.tomsguide.com/us/nsa-remotely-
turn-on-phones,new...](https://www.tomsguide.com/us/nsa-remotely-turn-on-
phones,news-18854.html)

~~~
zuck9
Which you cannot do on iPhones.

~~~
Tepix
ifixit.com :-)

------
kiwijamo
The other day my friend Alice (not real name) attempted a FaceTime call to
Bob. To both our surprise my phone rang with a FaceTime call from Alice (and
as far as we know, Bob never received the call). Holding both our phones
together, Alice phone was showing a call to Bob while my phone was showing a
call from Alice. A very strange fluke which makes me wonder how robust the
FaceTime code is.

~~~
greenleafjacob
Not sure if this was intentional but in security, Alice and Bob wre the names
in hypotheticals for the attacker and unwitting victim since the RSA paper.

[https://en.m.wikipedia.org/wiki/Alice_and_Bob](https://en.m.wikipedia.org/wiki/Alice_and_Bob)

~~~
googlemike
Your comment shows a clear lack of contextual insight into general software
security. Alice (A) and Bob (B) are ubiquitous in discussions:

[https://en.wikipedia.org/wiki/Alice_and_Bob](https://en.wikipedia.org/wiki/Alice_and_Bob)

~~~
justwalt
Not sure his comment deserved a response like that.

------
rgovostes
Fun story: I tested this bug, initiating a call from my phone and then joining
it on my Mac. After I had ended the call, the Mac's camera LED stayed on, even
though the FaceTime app was not showing a video preview (in fact it had no
windows open). Was it transmitting? Who knows! State management seems to be a
mess all over the place.

~~~
saagarjha
This means your camera was in use by some application. Whether that video left
your device is harder to ascertain, but you can try quitting FaceTime to see
if the light turns off.

------
dawnerd
While they're getting a fix ready, might be smart to just disable FaceTime if
you don't rely on it.

[https://www.imore.com/how-to-turn-on-off-restrict-
facetime-i...](https://www.imore.com/how-to-turn-on-off-restrict-facetime-
iphone-ipad)

~~~
paulie_a
That just seems like a good idea anyways. FaceTime as a product just flat out
seems stupid.

~~~
yoz-y
Why? I use it all the time and in terms of simplicity it beats all other video
calling products.

~~~
peteretep
I'll take a stab at that, although I don't think it's stupid per-se. Everyone
I talk to, I talk to via WhatsApp, LINE, or FB Messenger, and generally I only
use that method to talk to them, whatever else they're on. All of those have
easy one-press buttons to initiate video call. Using some kind of Apple-only
technology?

I mean I think most people I know are probably on an iPhone, but having to
remember everyone's device to know if they can FaceTime? Ugh. I suspect I
could work out how to FaceTime someone if you made me, but I'd have to work it
out rather than just knowing it.

~~~
7Z7
But isn't everyone being on WhatsApp or FB Messenger or whatever just
elevating the device uncertainty to platform uncertainty? You still have to
remember or check who is on what.

It seems like if they generally are all on iPhone, FaceTime is the one thing
you could reliably call them on, and it will even tell you right in the
messages app if you can FaceTime them.

~~~
peteretep
> You still have to remember or check who is on what.

For some reason this comes pretty naturally to me. I guess I'm only talking to
15-20 people pretty regularly...

> it will even tell you right in the messages app

Maybe this is the disconnect. The last time I sent a message from Messages was
apparently in November.

------
DINKDINK
I wonder if the Apple representative who said this would be "fixed later this
week" realizes this allows any attacker to wiretap any iPhone user (that has
the vuln)

~~~
redblacktree
Yeah, that's bizarre. If my team were responsible for a bug like this, we'd be
fixing it before we went home.

~~~
saagarjha
The team might be able to fix it today, but the fix needs to go through
testing and then be built alongside the rest of iOS (a multi-hour process). I
wouldn’t be surprised if this takes two or three days to roll out.

~~~
grogenaut
You didn't even bring into consideration the app store approval process which
can take 2-3 weeks and likely would reject this as a feature removal without
user notification.

~~~
saagarjha
The update notes might include it ;)

------
preinheimer
As an apple user I'm concerned. I hope it doesn't turn out that Apple has
known about this for weeks/months/whatever.

On the upside I have a lot of confidence that they can fix this, and that I
can receive that patch in a timely fashion.

~~~
ummonk
They said later this week, which seems surprisingly untimely given the
severity of this bug.

~~~
casefields
Also, lets not forget Trump, against security advice, has remained using his
iphone. oof.

------
int_19h
This sort of thing is why I'd prefer devices to come with hardware
killswitches for mic, video, and various radio modules.

~~~
notfed
iPhones already have a "mute" slider switch. When I first looked into iPhones
(after years of Androids), my instant reaction upon seeing the slider switch
was "Ah! FINALLY! I can feel at peace in the knowledge that software
vulnerabilities are powerless to hack my camera or microphone!"

Of course, stupidly, the slider doesn't "mute" my camera or microphone, but
only my speaker. For Apple to modify this slider so that it mutes my camera
and microphones would require the daunting addition of two transistors. And
the act of such a simple modification would put an end to the incredibly
creepy, Orwellian possible reality that we all risk taking a part in every
time we glance at the familiar tiny screens we have become so intimately glued
to.

Apple should add those two transistors.

~~~
kennywinker
Frankly, I’m totaly in favour of hardware interrupt switches for the
camera/mic - but I think I understand why it’s not likely to happen. First, to
a lot of people it will look like admitting your thing is hackable, which
makes it seem vulnerable. Second, now every time I accept a call I have to
check this switch - sounds like a switch most people will leave in the on-
position 100% of the time and then when it accidentally gets flicked they’ll
bring their phone to the Apple store because “it’s broken”.

Also, I don’t want my ringer to have to be on any time I take a call... but
that’s just a debate about if it should be one switch or two.

Also the hardware switch doesn’t interrupt the speaker, it just turns the
ringer to silent/vibrate mode - you can put someone on speakerphone or play
music with it on.

~~~
jodrellblank
_sounds like a switch most people will leave in the on-position 100% of the
time and then when it accidentally gets flicked they’ll bring their phone to
the Apple store because “it’s broken”._

laptops with hardware wifi and bluetooth switches. Took plenty of support
calls about those.

------
tammer
I encountered a bug a while back — when I would connect to a dial-out call to
get onto my company’s conference service from its app, while using a pair of
cheap Bluetooth headphones (I’ve upgraded since then!) the mute button didn’t
work.

As in, the mute button would be clearly activated, but my audio still carried
through to the call. As in, I discovered this in quite an embarrassing way.

I filed a radar but never got a real response about it. Really there appears
to be a strong need at Apple to ensure QA is checking for confirmations of
user interaction. As I haven’t experienced anything like this since I’m still
with them but these types of problems are the very thing that would lead me to
shake my deep investment in the Apple ecosystem.

~~~
josu
I have serious trust issues with mute buttons. I rather not say anything I may
regret while the mic is muted.

------
dannyw
If I were Apple, I would be implementing a server side migration right now:

\- if someone adds their own email or phone number again to a group chat,
immediately terminate the call

As far as I know, this would mitigate the vulnerability.

Alternatively, disable Group FaceTime calls altogether.

~~~
rgovostes
It might trigger the bug to just invite any additional participant (say, a
second phone the attacker possesses), in which case blocking only inviting
oneself is not sufficient.

My theory is that the server routes messages to everyone who has been invited
to the call, even if they have not accepted it. One message might be
"participant left," in which case if you are the last one, the call ends.

Another would be "participant joined." The bug would center around the fact
that the logic for handling a "participant joined" message does not check if
the call has been accepted and makes an unexpected transition to a state that
it should not be in.

The "participant joined" code likely handles the case that the new participant
was already present on the call. Why? Apple wants to support seamlessly
transitioning your call from one device to another. That's why blocking might
not be so straightforward from the server side.

------
throwawaymjabba
I would like to bring up something that happened to someone I know during
WhatsApp call. Person A was in US and person B in India and were audio calling
through Whastapp on something work related. Person A starts hearing someone
else on his side, nothing unexpected on Bs side. A started a new call and
everything was fine. A said it reminded him of the crosstalk that was common
during the landline days. Could it be a bug or was someone listening and
forgot to turn off their mic? No idea.

------
yy77
An quick stop for the possbile privacy disaster for Apple is to stop group
facetime call at once but not wait for later this week for bug fix. Could
image that quite some one might already try to peek for privacy using this.

------
argsv
Premature optimization, perhaps. Don’t optimize by sending audio too early (as
others have suggested) and why should I be able to add my own number to the
conversation if I that number is the call’s initiator? Makes no sense.

~~~
yreg
>why should I be able to add my own number to the conversation

You might want to add several devices with the same facetime handle to the
same call.

------
nurettin
With the advent of microphone embedded computing devices, a bug can really
become a bug.

------
ainiriand
It is super crazy that when you apply for a dev job in companies like this you
have to be like a small Alan Turing and yet things like this happens.

------
samstave
A fun though experiment for a bug like this would have been to test lists of
emails against validating the ability to FaceTime call with the email and
determine if it was used as the iCloud email address...

Had this bug gone unknown longer - then you'd have a list of all the endpoints
you could spy on.

------
reasonablemann
People always ask me why I have the camera on my computer covered. There is
still far too much trust in technology.

------
wtmt
What about updates for people who don't update often or don't even see that
there's an update? This is way too critical a bug for people who don't follow
the news to not be taken care of (their devices, I mean). Apple keeps pushing
major new version iOS downloads forcefully down to devices without any way of
opting out, yet what I've seen is that point updates are left as optional and
may not even show up unless one checks for an update.

As much as forced new feature updates take freedom away from users, Apple
needs to up its game on security fixes like this (that could be standalone)
being pushed to all compatible devices ASAP (no waiting for the phone to be on
the charger overnight, etc.).

~~~
saagarjha
> Apple keeps pushing major new version iOS downloads forcefully down to
> devices without any way of opting out

iOS upgrades are not mandatory by any means.

> no waiting for the phone to be on the charger overnight, etc.

This is how you get phones running out of battery halfway through an update.

~~~
wtmt
> iOS upgrades are not mandatory by any means.

The upgrades are not mandatory, but the downloads certainly are. I've had to
delete the iOS downloads several times over years (including the downloads for
iOS 12) because iOS doesn't have an option to disable this, and it
automatically downloads the upgrade in the background when on WiFi for a long
enough time. It's a cumbersome process to delete the download. It's even worse
when you consider that a downloaded update would be installed overnight if you
leave the device on the charger and connected to WiFi and by mistake tap on
install when that prompt appears at some random time. The user interface for
controlling and managing iOS upgrades does not exist.

> This is how you get phones running out of battery halfway through an update.

The OS could always put a limit saying the phone should be charged at least
30-40% for an update to start installing. Even now, the upgrades and updates
are allowed to go through for iPhones without them having to be on the
charger.

------
FabHK
I must admit that when reading yet another privacy-invasion-headline I saw
"Facebook", not FaceTime/Apple. Not sure whether it's more indicative of
unjustified prejudice or actual precedent.

~~~
briandear
The difference is that Facebook does it intentionally.

------
philip1209
Tomorrow's earnings call should be fun

------
dzhiurgis
FaceTime audio ducking is the worst thing about FaceTime. Impossible to watch
something online with another person.

Also, FaceTime never closes after a call cleanly. Camera stays up until you
right click + quite the app...

------
drdrey
Isn't it fantastic that the exact same bug works on 2 different OSes?

~~~
sigjuice
Not exactly. There is likely a lot of common, if not identical code.

------
chx
Oof. I am reasonably sure very very soon there will be a number of very polite
but very pointed questions on Apple's desk from concerned lawmakers, data
protection authorities and such not only from the USA but the European Union
as well about how this happened and what are they doing to make sure this
doesn't happen again. I can very well see the European Data Protection
Supervisor fining them to some very interesting amount as well.

------
crististm
"Sagem GSM phone let's you hear the other party's audio before you pick up" \-
Demonstrated this last time about 6 years ago calling my phone from different
networks: fixed, and two other GSM. My conclusion was that it's an
implementation bug easy to trip on or a provision in standard that it's easy
to misread.

Now - if the audio channel is _right there_ for you to read, what chances are
for this to be only a Sagem firmware bug?

------
Karupan
Just thinking out loud here - why isn't there legislation that makes it
mandatory for phone manufacturers to send out a notification to all devices
affected by serious security flaws (like this one)? Not only will fixing and
rolling out an update take a while, there is also no guarantee that the update
will be installed. Meanwhile, hackers will have a field day.

Or maybe there is already one, and I'm blissfully ignorant!

~~~
nexuist
Just to play devil's advocate (not a lawyer though):

What constitutes a "phone"? Any device with cellular capabilities? What about
WiFi calls? What if it's an industrial device with no network (LTE/data)
access? Is a laptop with a 3G modem covered under this?

I would suspect the problem is in defining what devices to target, and also
the fact that forcing any company to modify the functionality could be
perceived as a slippery slope (i.e. security notifications first, NSA
backdoors later...)

In Apple's defense, it is pretty difficult to miss an update alert considering
it comes through as (a) a push notification, (b) a mandatory alert, and (c) a
persistent red badge on the Settings app.

I agree that it might be a good idea to differentiate between a normal update
and a security critical one, though.

~~~
Karupan
Valid points. How about restricting the scope to devices connected to a
network and having some sort of push notification capability?

> In Apple's defense, it is pretty difficult to miss an update alert
> considering it comes through as (a) a push notification, (b) a mandatory
> alert, and (c) a persistent red badge on the Settings app.

> I agree that it might be a good idea to differentiate between a normal
> update and a security critical one, though.

But there is no mention of severity like you pointed out, and that is crucial.
And till such a patch is available, Apple should notify users to disable
offending apps/features if possible.

~~~
tedunangst
So... every computer running some sort of syslogd?

~~~
Karupan
Not sure if I'll define it that way, but why not? If my mobile device is
capable of showing inane ads as push notifications, why can't I expect
security advisories to be delivered that way?

------
minimaxir
> In a statement, an Apple spokesperson said the company is "aware of this
> issue and we have identified a fix that will be released in a software
> update later this week."

[https://www.buzzfeednews.com/article/nicolenguyen/facetime-b...](https://www.buzzfeednews.com/article/nicolenguyen/facetime-
bug-iphone)

------
wincent
Reminds me of the time I FaceTimed my mother (in Australia) only to see the
call answered by a total stranger (in Texas).

------
shocks
On the 1st of November a friend shared with me a screenshot from the Instagram
of a concerned parent explaining a situation in which her child was being
cyber bullied, and it was clear from the content of the messages that the
bully could her their private conversations.

I guess this bug has been know and abused for at least three months?

------
fma
I'll admit I have limited knowledge on iPhone security... But would it be
technically possible to do this with other apps? For example if one has
Wechat, can there be a backdoor to be listened in on? Thinking about state
actors...

------
bitpush
I don't want to be harsh, but Apple really should walk the talk regarding
privacy. It has its heart in the right place but bugs like this show how
careless they are.

~~~
RKearney
I never thought of Apple as caring much about privacy given the insane amount
of third party tracking scripts loaded in apps on the AppStore. What I would
give for LittleSnitch running on iOS...

~~~
scottishfiction
Set up [https://www.charlesproxy.com/](https://www.charlesproxy.com/) on the
same network as your phone, then set it to be the phone's proxy server. Voila,
you can now be horrified by the amount of tracking going on. You can even MITM
SSL traffic by adding a trusted CA to your phone.

------
sys_64738
Amazon calls this a feature in Alexa!

~~~
tills13
This has been disproven time and time again.

~~~
withinrafael
OP is referring to the ability to tap into any Alexa device, a feature Amazon
calls Drop In
([https://www.amazon.com/gp/help/customer/display.html?nodeId=...](https://www.amazon.com/gp/help/customer/display.html?nodeId=202153130)).

~~~
casefields
Google Duo does offers it as well.

~~~
jvolkman
I think you're referring to the Duo feature which shows a video of the caller
to the person being called prior to answering. Basically the opposite of drop
in and of this FaceTime issue.

------
d-sc
Just tried this with my brother. Apparently I can listen to his iMac audio
from my phone. This could mean and increase in the time to fix the bug.

------
z3t4
I guess when it's virtually impossible to get into contact with the developers
they will get their "bug reports" via the news.

------
wufufufu
They forgot to turn the NSA flag off in production

------
sgt
I wonder how many devices are affected. Just tested between two iPhones
running latest iOS and could not reproduce.

------
buraksarica
We noticed a similar bug many years ago on a GSM enabled PDA device. I cannot
recall the brand/model.

------
CodeSheikh
I feel like around three years ago Apple engineering changed QA leadership or
restructured org in that dept and the quality has been down. Prior to IOS9, I
have had barely noticed bugs. But now I am in that "used-to" mode that I have
learned to ignore such bugs or nuances.

------
gargalatas
Damn! And it was a feature they would disclose in the next apple event...

------
Mikeb85
Is it just me, or does it seem Apple can't secure their services as well as
Google?

There's always 'concerns' about Google spying, but no proof, meanwhile there's
been major hacks involving Apple that are quickly forgotten because the CEO
claims to be all about privacy.

~~~
alkibiades
the quantity of papers with major security flaws in android versus ios shows
you all you need to know. there is an endless stream of android ones but very
few ios okes

~~~
Mikeb85
Key word is services. iCloud had a very public hack, now this. What Google
services have been exploited?

------
gigatexal
They’ll fix it fast. People just love to crucify Apple for everything.

------
SamuelAdams
Are there any specific Faraday bags that folks recommend?

~~~
saagarjha
Why not just turn on airplane mode?

~~~
culturestate
If you don't trust the software in the first place, there's no real reason for
you to trust that airplane mode is actually effective.

~~~
saagarjha
If you can't trust the software at all, you might be better served with
turning your phone off :/

~~~
nkurz
Off may not be enough: [https://www.wired.com/2014/06/nsa-bug-
iphone/](https://www.wired.com/2014/06/nsa-bug-iphone/)

Like the SamuelAdams said, you might do better with a Faraday bag.

------
novaRom
This will always happen with non-open source software.

~~~
saagarjha
This also happens with open-source software too. It just takes a bit longer to
figure out what's going on with closed-source software.

------
wilkskyes
Should the engineers who were responsible for this be punished or retrained?

~~~
frou_dh
The more pertinent question in this kind of situation is to the
Lead/Architect. Namely, why have you created an environment in which quality
can slip like this, and what are you going to change?

------
titzer
Open. Source.

------
manicdee
Imagine, all this time Five Eyes actually had a way of breaching privacy and
they only started making noise about access enablement recently because they
knew someone was going to report the vulnerability to Apple.

------
heyjudy
NSA calling, please pick up. ;)

------
ziont
once i had to talk to my boss i didnt really like

this explains it.

------
giardini
Looks like iPhone spyware. I doubt that FaceTime is the first use of this
"bug"!

------
hema_n
I am unaware of this problem..as I am an android user.

~~~
rootusrootus
Yeah, with the long list of things you have to worry about, I wouldn't be
worried about an iPhone problem either.

------
baxtr
Seriously, I don’t think that this is so bad. Google advertised something
similar like this as feature. Don’t get me wrong: it should be fixed. But the
shitstorm is way too big

------
ChucklesNorris
"Bug"? What came to my mind was "bugged."

Zuckerberg needs to answer more questions before Congress, this time under
oath.

------
qrbLPHiKpiux
Not for long. Will be patched in hours, I bet.

~~~
oil25
This would actually be a fun interview question - how to emergency patch 1B+
globally distributed mobile devices. I would say at least several days for the
obvious QA which needs to be done.

~~~
largehotcoffee
>I would say at least several days for the obvious QA which needs to be done.

And you would unfortunately, not get the job.

~~~
bduerst
Well, there's probably a new position on the QA team opening up soon in any
case.

------
illwrks
My colleague and I experienced the same thing last week on his Samsung phone.
Another colleague was calling us to talk about a project, we were chatting
away and in the few seconds before the phone was 'answered' our colleague
heard what we were talking about.

------
LeoNatan25
This is due to the very poor QA efforts Apple has, coupled with junior
developers who lack a security-aware mindset. This is, sadly, the case with
most companies these days. Zero secure coding training, zero push for security
reviews, zero push for security QA, zero accountability.

~~~
saagarjha
> Zero secure coding training, zero push for security reviews, zero push for
> security QA, zero accountability.

What makes you think this?

~~~
LeoNatan25
The amount of bugs like this, specifically lock screen evasion bugs, bug also
disk management bugs we've seen, etc. As I said, this is not specific to
Apple. The whole industry lacks security awareness, and because people don't
hold these companies accountable, there is little financial incentive to
change that.

~~~
saagarjha
Your specific claim was that Apple has "zero secure coding training, zero push
for security reviews, zero push for security QA, zero accountability"–this
isn't true at all. Sure, Apple's software has had some serious bugs in it, but
this does not mean that they have no security practices in place.

~~~
LeoNatan25
I am not speaking about dedicated security teams. What security training is
there for end-user app developers at Apple? From discussions with developers I
know, it doesn't seem to exist, or at least not spread everywhere.

~~~
saagarjha
Maybe it's not enough for your satisfaction, but there are resources available
for writing safe and secure code (I'm not sure if this is required, though),
as well as regular audits by the security team.

~~~
LeoNatan25
I come from a security background (6 years in a security firm), and I have
seen some pretty paranoid practices. I do not wish that to be prevalent. One
thing which I really did appreciate in that firm, and find very valuable, was
putting every developer and product person on a security awareness and secure
coding course, where basics are taught, but also an attempt is made to push a
security-first mindset.

I am now in a consumer-oriented company, and while I appreciate the much more
relaxed environment, I am often shocked at how no attention or thought is paid
to security. It baffles me that management, at the very least, has little care
for this stuff.

This is an industry-wide problem.

------
apple_pol_throw
I worry about Apple. Software quality has been dropping, but it's not Swift or
some other specific technology that's the problem. It's talent. The company
has had a hard time attracting very senior talent.

The difficulty is self-imposed and comes from leadership's strict policy of
not paying market wages at the high end. Multiple hiring managers at Apple
have complained to me that they've lost good people because the company just
won't match offers from the Googles and Facebooks of the world. Apple refuses
to acknowledge the reality of the market.

Given that Apple's most experienced people keep retiring and that Apple isn't
replacing them with equals, I expect software quality to continue to drop
until leadership decides to abandon its shortsighted comp restrictions.

[Posting from a throwaway for obvious reasons]

