Hacker News new | past | comments | ask | show | jobs | submit login
Apple disables Walkie Talkie app due to eavesdropping vulnerability (techcrunch.com)
208 points by chillaxtian 11 days ago | hide | past | web | favorite | 66 comments

I've found that it's pretty easy to get people to inadvertently accept FaceTime calls if you continuously spam them. (I was on the receiving end of this attack.) Here's how it works.

1- It's very easy and instantaneous to redial someone on FaceTime if they decline your call. You can just spam the call button and the target will get a continuous ring, basically.

2- Even if they turn on Do Not Disturb, many people have "Repeated Calls" enabled, which lets repeat FaceTime calls break through Do Not Disturb. Neat!

3- Now they are frustrated and want to throw their phone in a bucket of water to shut it up. The only way to block you is now to get your "info" in the recent callers list, scroll down and hit the "Block this caller" option. However the constant stream of incoming FaceTime calls takes over the UI every couple seconds.

As they fiddle with their phone trying to navigate to your info and/or hit decline, eventually they inadvertently hit accept, and you see their face.

Absolutely. There needs to be a block this user right on the accept/cancel screen. Apple also needs to track who is doing this and repeat offenders lose access to FT in general or that iTunes account.

I really don't understand why calls and texts don't have a default mode to only ring or pass through if they are from a contact. Depending on the government to prevent robo calling seems foolish. We need technology built into the device.

They also need to change it so that an incoming call doesn’t takes over the entire screen of your phone. I could be doing something on my phone like typing this comment and next thing I know, I’ve answered a call.

This is still the stupidest thing having moved from Android to iOS. Why would anybody want incoming calls to block the entire UI?

Because it is a telephone first and portable computer second.

Except that it’s not...not anymore. It’s primarily a computer that can take phone calls. How many people are still taking phone calls instead of texting, messaging, emailing, or connecting in other ways via social networks? How long is the Phone app used compared to Safari on your phone’s battery settings? For how many people is Phone at the bottom of that list? On mine it is.

Finally, your point is still completely irrelevant to why it needs to take over the entirety of the screen. It could still primarily be a phone without being intrusive when you’re doing “secondary” tasks.

But when I'm using it as a portable computer, the portable computer paradigm should prevail, which is what happens on Android: if my screen was off, I get a full-screen notification to swipe up on. If my screen was on, I get a notification at the top of the screen with buttons to accept or decline.

I'd bet money that by average customer use, the classic telephony functionality of iOS phones accounts for less than 1% of phone usage. They're used as computers first, second, and third and as a phone a distant last.

Says who?

iOS 13 adds this for phone calls: https://www.macrumors.com/2019/06/06/ios-13-silence-unknown-...

Don't know about FaceTime, it's not mentioned so I'm guessing no change on that front.

This is a nice option but a totally different problem. It basically turns incoming calls from strangers into texts. It's for the "millennial" phone user that rarely takes calls and then only from friends. Wouldn't work with FaceTime since there is no mailbox for FaceTime (might be cool if there were though...)

No, the problem here is much simpler. iOS has features for Do Not Disturb as well as blocking spammy callers which both should help here. The problem is they just aren't implemented quite right for this scenario.

> There needs to be a block this user right on the accept/cancel screen

Personally I hope I don't end up blocking a family member or someone else important because my phone is slipping around in my pocket when they happen to call.

Exactly. iOS does something like this with notifications where it added an super easy button right next to them on the lock screen for silencing / delivering them quietly. You just swipe left. Neat, right?

Except I accidentally hit it on an iMessage notification somehow without realizing and silenced all messages for a couple days without realizing it. Missed an important one too. Was kind of hard to undo that too.

It’s a tough UI problem.

I’m pretty sure the proximity sensor activates as soon as the call comes in, so the screen would be disabled until you take it out of your pocket.

You seem pretty confident that this will work as opposed to occasionally falling in the wrong state and, a rare instance multiplied by a large number of uses, happen to somebody.

Somehow despite this pocket dialing still happens.

For me the most annoying bit is how it’s impossible to do any action others than accepting or declining the call on the iPhone. It’s basicall a phone DOS.

This happens to me on Android as well and it has always been like this. Would love to know why a phone call needs to block all other actions except accept/reject a call.

Huh. What manufacturer? When unlocked, stock Android has had incoming calls as a notification rather than whole screen for years.

When screen is locked it is probably still full screen.

Many crap reskins (Samsung, Xiaomi, Huawei) break the ability to hide call notifications. It's absolutely awful.

This is one of the problems of Android's model. By being so open to customization, any branch's weirdness gets mixed in with "Android", because there are too many variations and not enough linguistic ability to name them all clearly and consistently in conversation.

If I'm getting a call while using my Pixel, I just get a notification with quick-action button for accept, deny, and screen.

To be fair, the device is nominally a telephone with a few extra bells and whistles.

I didn't pay $1000 for a "telephone with a few extra bells and whistles"

Airplane mode in quick action bar to the rescue!

Are you doing this to your friends or strangers? The attack requires plenty of effort and an Apple iCloud account so not the eeasiest thing to scale.

Still had if it doesn't scale. The people who are going to want a quick peek at camera are stalkers, political opponents (get a view of compromising activities or visitors) , drug dealer conflict retribution (get location), etc.

Couldn't you just put the phone into Airplane Mode while you block the caller? This would be my first action.

People who pay the Apple tax don't accept "couldn't you just" as a reasonably solution.

• Go into Airplane mode.

• Tweak whatever settings you need (like disabling DND Repeated Calls) to let you block that person.

Even worse, FaceTime calls get routed to your desktop so as you're typing a message or an email, you can easily hit enter or spacebar to accept it accidentally.

there's a block caller option in the contact area/recently called, someone did this to me before and it wasn't frequent enough to prevent me using the phone.

Even if it was, enable airplane mode, block caller, then disable airplane mode.

Just wrap your phone into some tinfoil and it's over ;-)

Luckily that feature was built in on the iPhone 4 ;)


I have to say, I think it's great that Apple doesn't try to do damage control on their reputation, but instead does damage control toward the customer. They could've kept the service working, created a fix and silently pushed it, but they didn't.

It’s kind of sad that we live in a world where this behaviour is considered exceptional and something to be applauded, instead of being the normal way to do business, thanks to both morals and regulations with huge fines to control those who lack morals.

Yeah, I fully agree. This was in the back of my mind while writing the previous comment too. It's also why think it's important to acknowledge it, since that might help people become aware that we're not doing things right.

Only slightly related, but as a lead developer I've had some business people get angry, because I refused to build features that violated customer privacy (and GDPR). It's not just the business that should be responsible, it's IT too, but we tend to use business demands as an excuse (see: Facebook).

I’d like to add that job safety and the home that needs money brought to is also used as an excuse. People need to feel safer that they can act upon their morals and overcome whatever consequences arise. Friendships and family ties are one important ingredient for that. Sensible frugality another.

Definitely true. I ended up quitting and moving to another job because of unreasonable demands like this. I do imagine though, that in SV, where data is considered the new gold, it must be a lot harder to find jobs at ethical companies.

I’m actually skeptical about data being the new gold. Even if it is true now and we ignore the ethical implications, I don’t think it’ll remain gold in the long term. People have a limited attention span & wallet. There’s only so much advertising they can consume, anything after is worthless. Overall, anyone cashing in on data is diluting the pool for themselves & everyone else until there’s so much that the entire market is no longer sustainable.

The other issue is that there are 2 very strong competitors (Google & Facebook) that I’m not sure it’s wise to start a new company based solely on data/analytics/advertising.

> Only slightly related, but as a lead developer I've had some business people get angry, because I refused to build features that violated customer privacy (and GDPR).

I wrote a feedback mechanism in an Android application that we made at work. There's a space for users to write their feedback, but of course we collect other information about their system and what they've done in our application. In the feedback dialog, I implemented an expandy thing that shows you all of the data that will be sent, and even has a checkbox next to each line item so the user can choose not to send that data. I showed my boss and he was like, "wow, that's transparent of you" and was blown away by the checkbox feature. Meanwhile I considered it really impolite to do otherwise.

That's pretty awesome. And great that your boss thought this was a good idea too.

Behold the power of making a product for users instead of advertisers.

This is how they justify the existence of the App Store.

Can you expand on this? The App Store isn't really involved in this case: it's a first-party app, for one thing. It was also disabled by turning off the backend, which is something that any developer could do to their own app.

The Zoom thing has more to do with Apple as gatekeeper: they pushed an update to the OS that disallowed Zoom's web server from running.

"It turned out that the teen who discovered the bug, Grant Thompson, had attempted to contact Apple about the issue but was unable to get a response."

Good they fixed this. Too often security vulnerabilities remain unaddressed, I think that was the case with Mariot hotels data leak, the staff knew for quite some there are privacy troubles. Now they're being fined for not taking action.

remember this idea how weird it is that everybody runs around with spying equipment, you have a always-online device with multiple cameras and microphones. I think people would be uncomfortable knowing that someone was listening or recording video without their knowledge, that's why people put stickers on their laptop cameras. I think its obvious by now that manufacturers aren't capable of developing software that keeps the cameras/microphones secured. In the future we can just assume that any camera/mic in any phone is recording at any given moment and sending it to some malicious entity. Since there is no practical way of disabling the cameras/mics on phones, we just have to learn to live with it.

I prefer this verge link https://www.theverge.com/2019/7/11/20689983/apple-watch-walk...

as techcrunch privacy settings are yahoo driven and I was never able to manage them - not sure they really give you an option

The EU should fine that company out of existence. Yahoo/Oath/whatever they’re called now is cancer.

The Verge doesn’t give me, in the UK, any options to control my level of cookie acceptance. They offer me two policies to read an an accept button.

At least they don’t redirect the page so you can block the overlay with an ad blocker and be done.

Not saying this is OK (and definitely not compliant with the GDPR) but still slightly better.

TC's webdevs have been forced to put up that crap, but to their credit their site works very well without JS, so you can just block it wholesale. I still wouldn't share their links, though.

With Safari/iOS, all I see when I click your link is a full screen GDPR cookie notice with truncated text (the start is missing), that can only be dismissed by accepting tracking.

Thanks for the alternate link.

In general I think HN should consider just banning TechCrunch links verbatim. That would lead to people actually submitting stories from sites which respects people’s privacy instead, and everyone wins.

what privacy setting? i never get that popup.

techcrunch is ok imo.

the verge on the other hand won’t load for 3 seconds if i have an ad-blocker turned on. so i stopped visiting it since their ads are 90s level of terrible.

This is all you see when clicking techcrunch articles:


If you "manage" your settings to block everything it'll just be back next time.

As a consequence, I haven't read a techcrunch article since June 2018.

Interesting, I have never seen that and even tried in an Incognito tab and with Safari which I don't use regularly.

I'm guessing you're not in the EU then? I see this everywhere.

I don't know, I use an old browser with javascript disabled, and I seem to read techcrunch articles just fine.

techcrunch is using oauth, one of the absolute worst offenders.

They should be banned from hn altogether.

I assume you're referring to the media company 'oath'[1] not the auth framework 'oauth'[2]?

[1]: https://www.oath.com/ [2]: https://oauth.net/

My bad, I've read it incorrectly. It's Oath.

Nitpick: they aren't using OAuth, they are owned by Oath (now Verizon Media).

I have a series two Apple Watch and while the app shows up I was unable to get it to work back when I tried. I didn’t care that much so I just tried a couple times and gave up.

Don’t know why you’re being downvoted. I tried to make it work with my friends and for some reason, I could never get it to set up.

Don’t know why you’re being downvoted.

Were I to guess, the original comment is at best peripherally related to the topic at hand ("the app", I'll assume, refers to the Walkie-Talkie app). IOW, it doesn't contribute much.

Also: apple mail is so horrendously broken, any multipart email is likely to fall apart and attachments get chopped off or corrupted every other email.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact