iPhone FaceTime Vulnerability

This is kind of a crazy iPhone vulnerability: it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call.

This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in any useful way.

New York governor Andrew M. Cuomo wrote: "The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk." Kinda, I guess.

EDITED TO ADD (1/30): This bug/vulnerability was first discovered by a 14-year-old, whose mother tried to alert Apple with no success.

Posted on January 29, 2019 at 1:12 PM • 19 Comments

Comments

RobJanuary 29, 2019 1:36 PM

"But it's hard to imagine how an adversary can operationalize this in any useful way."

It was trivial to think of one.

Try to facetime Trump. With all the opsec around his iPhone, you'll get a bug in the White House for a good long time.

ChuckbJanuary 29, 2019 2:56 PM

Politicians as ignorant about the details of technology as the one making the reported assessment put everyone at risk.

VinnyG January 29, 2019 3:04 PM

Farfetched, but if you wanted to know what was discussed at a meeting at your workplace (suppose layoffs were rumoured to be on the agenda,) and knew that a participant had an iPhone that was always on "silent" in meetings, you might be able to repeatedly initiate a FT request, and possibly hear something useful. That might hinge on how long before an iPhone times out when unanswered (probably a user option.) If I was a typical iPhone user, I think I'd be more concerned about what this kind of vulnerability says about Apple's software development and QA than this specific behavior.

Gerard van VoorenJanuary 29, 2019 3:35 PM

This is an exceptional well example of Anglo-saxing programming.

And it made me laugh out, hard.

Alyer Babtu January 29, 2019 4:00 PM

A timely reminder that especially with software in the picture, the phase space of the physical device and the phase space of the user interface may not be related as one would expect, and this either by accident or on purpose (or both).

TõnisJanuary 29, 2019 4:35 PM

Nice! I use BBM (BlackBerry) video calling. I prefer a company with a better track record when it comes to security.

DJanuary 29, 2019 5:02 PM

Everyone acting like this was an accident

And this from the Apple that claimed to be in a public feud with the USG in the interests of users privacy

EmmaJanuary 30, 2019 7:54 AM

It's interesting that this bug is related to auto-accepting a third party to an encrypted call. Especially given that is exactly the proposed method to backdoor encrypted communication without having to break encryption itself.

I'd love to see a video of it in action and see if that sheds any additional light on how it works. It's at least a remote possibility that this is an implementation bug of a forced backdoor mechanism.

HumdeeJanuary 30, 2019 11:50 AM

I think I'd be more concerned about what this kind of vulnerability says about Apple's software development and QA than this specific behavior.

This is the real story and it should have been the focus of Bruce's post.

FTA,
"...failing and faxing Apple’s security team, and posting to Twitter and Facebook. On Friday, Apple’s product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report."

That is not only wrong, it is unconsciousable. If that report is true I would fire everyone involved. It is putting formal process and procedure ahead of substantive results, the worst kind of bureaucratic group think. Everyone on this blog likes to toss shit at the TSA but I cannot imagine a TSA agent saying, "well yes I know you overheard someone talking about a bomb on this very flight but you have to go over to Counter A and fill out form SS-BB21 to file a report." If we don't spare the government when it pulls this bullshit why should a corporation get any slack whatsoever?

Alfredo January 30, 2019 1:15 PM

If your environment is highly Mac based and your end users aren't enforced to use normal mediums such as zoom or skype, then may be some concern in this vulnerability being leveraged from a blue team perspective towards sensitive teams controlling IP and other crown jewels.

The risk posed is little... but any vulnerability management team should be committed towards assuring updates are being enforced.

Clive RobinsonJanuary 30, 2019 2:04 PM

@ Bruce,

But it's hard to imagine how an adversary can operationalize this in any useful way.

How about imagining an "insider" attacking there employer?

Not being an Apple purchaser four four decades or so, I'm a little out of direct contact with their products.

If however what has been said by others on the Internet is true you could arange for someone to dial in on your phone, you don't answer it but say something important (think insider trading tip) in the 20-80second ring window to a colleague. As such a phone call has not been made so won't show up on logs.

But this is not the first time something like this has happened though. Several years ago a European phone provider arranged for the users phone to generate a personalized "calling tone". So when your phone was called, the person calling you got not the standard "brrr brrr" calling tone as used to be generated by their local exchange, but whatever you had set your phone up to play...

Yes there were a couple of bugs, mainly it was that the calling party got silence as the phone user had not set it up correctly, but apparently also audio from the mobile phone end was heard in with the mobiles actual ring tone on occasion.

TatütataJanuary 30, 2019 4:14 PM

Ambulance, meet chaser:

Madison Malone Kircher, NY Magazine, 30 January 2019, Apple Sued After FaceTime Bug Reportedly Let Someone Eavesdrop on Testimony

The article quotes CNBC verbatim:

His lawsuit, filed Monday in Harris County, Texas, alleges that Apple “failed to exercise reasonable care” and that Apple “knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping.” It alleged Apple did not adequately test its software and that Apple was “aware there was a high probability at least some consumers would suffer harm.” The suit says that Williams was “undergoing a private deposition with a client when this defective product breached allowed for the recording” of the conversation.

The rotten Apple bug (in the sense of a programming error) sounds like how some bugs (in the sense of a spying device) worked in the old analogue telephone network, with listening devices mounted in the set which were switched on the line after the victim rang off after receiving an alleged wrong number call. I think it was called the "infinity microphone", but can't find anything relevant under that name.

It was also possible in many electromechanical systems to communicate between parties between rings using an AC-coupled connection, as the line was switched through during call setup.

bttbJanuary 30, 2019 6:12 PM

OT, but from https://www.reuters.com/investigates/special-report/usa-spying-karma/ :

" The Karma Hack
UAE used
cyber super-weapon
to spy on iPhone
of foes

A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma, in a campaign that shows how potent cyber-weapons are proliferating beyond the world’s superpowers and into the hands of smaller nations..."

GCHQ?January 31, 2019 2:01 AM

Might be part of the GCHQ requested backdoor?
Adding someone to the conversation, allows eavesdropping?

VinnyGJanuary 31, 2019 5:40 PM

@Tatutata re: lawsuit - Thanks for the link. I've been wanting to read about the actual allegations made in the civil litigation, rather than headlines written by the intellectually impaired. The bug is, of course, a bad thing, and Apple's bureaucratic (non) response was FAR worse. However, that lawsuit is a steaming, stinking pile of horse-processed alfalfa, and a reminder to me of why there once was a political entity in the US called the "Kill All Lawyers Party" (complete with candidates officially named on ballots.) Contrary to what many headlines claimed, and several reporters stated or implied, there is no allegation in that suit that anyone (foe or friend) actually eavesdropped on Williams (much less any privileged conversation between Williams and a client) by means of this bug, only that Apple "allowed" it (in the sense of creating the potential for such an occurrence to take place.) The suit alleges "pain and suffering," "emotional trauma," and past and future impairment of Williams' ability to practice his profession. Seriously? IMO this guy is just trolling for Apple to toss a settlement offer in his direction by filing a true nuisance lawsuit. Apple might deserve to lose the money, but (again imo) this creep doesn't deserve to receive it. Civil lawsuits are intended for the recovery of enumerable and articulable damages. This episode of "Filing For Dollars doesn't even come close to qualifying..."
Larry D. WIlliams v Apple Inc & Doe:
https://www.courthousenews.com/wp-content/uploads/2019/01/FaceTime.pdf

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.