Security news that informs and inspires

Severity of FaceTime Bug Depends on Threat Model

By

Make no mistake, the latest privacy bug in Apple’s FaceTime service is a serious issue, but the actual impact on a specific individual is going to vary. For some, it will be a little embarrassing. For others, it could be compromise physical safety or cause financial harm.

As first reported in 9to5mac, a bug in FaceTime lets someone make a FaceTime call, and while waiting for the recipient to pick up, use the recipient’s microphone to listen to what’s happening around the person. The nature of the bug means that the microphone is “hot,” or active, while the call is ringing, and the caller can eavesdrop until the recipient accepts or rejects a call. If the recipient hits the Power button to reject/ignore the call, the caller gets to see the video feed from the front-facing camera.

It is alarmingly easy to trigger the bug (turn a regular FaceTime call into a group call by adding the caller as a second participant), and there is no way for the recipient to know about the eavesdropping. While Apple is working on a software fix, the company clearly felt the issue was bad enough that it disabled the Group FaceTime feature entirely so that people can’t trigger the bug.

The issue exists on iOS devices running 12.1 and 12.2, as well as on Mac OS Mojave (at least).

Sounds Super Bad

As software bugs go, this is a real privacy misstep since it exposes users to potential eavesdroppers. But it’s worth noting that for many people, the eavesdropping is more of a nuisance.

It all depends on the threat model.

If a teacher gets a FaceTime call while teaching, the caller is going to hear a snippet of what’s happening in the classroom. It makes sense that the teacher may not be able to step over and specifically reject the call—and would just ignore the call coming in. The teacher will know someone called, but not that that person heard anything.

Someone decides to prank a friend and listen in while the friend is on a date, or with family, or is just singing and rocking out in his or her room. That could result in teasing, or at the most extreme case, bullying.

It’s one thing if the person knows there’s a call coming in and quickly acts to respond to (or reject) the call. But if the person doesn’t notice there’s a call coming in because her phone was in her bag or out of reach, the person can’t minimize how long the microphone is on.

For many people, this kind of a situation would be disturbing, potentially embarrassing, and maybe hurtful, but not catastrophic. But that doesn’t mean this problem has been overhyped or blown out of proportion.

Don’t Dismiss It

This is exactly the kind of situation that could be abused by jealous partners or obsessive stalkers trying to keep tabs on a person’s whereabouts. A jealous partner can act—punish—based on what they overheard when making the call. It becomes a question of physical safety.

A lawyer working on a sensitive merger or a CEO in an important board meeting would be potentially impacted if the FaceTime call comes in during a particularly sensitive discussion.

A person in a doctors’ appointment or at a medical procedure could have sensitive healthcare information exposed if the FaceTime call comes in at the right time. The information could be misused by an unscrupulous employer, or used against the patient in a blackmail scheme.

This wouldn’t be the first time technology has been used to eavesdrop on sensitive meetings, which is why there are some situations where participants aren’t allowed to bring electronics into the room. It’s a fact of modern life that when there are so many devices containing microphones and cameras—phones, tablets, TVs, computers—there are potentially more situations where the devices can be used for eavesdropping and surveillance. But that doesn’t mean that devices should be left in a basket outside the room every time people get together to talk about work.

“In other words, if the person you’ve called picks up their phone, hits the Power button, sees it’s you, grimaces, and announces to the room, ‘Oh heck, it’s Captain Annoying calling—I’m not ready to tell him the deal is off just yet,’ and hits the Decline option...you’ve just found out more than you probably ever would or could have discovered if they’d actually answered the phone immediately and told you they couldn’t talk right now,” Paul Ducklin a senior security advisor and “proselytizer” at Sophos, wrote on NakedSecurity.

What’s the Threat Model?

It can be difficult to sift through vulnerability warnings and software issues to figure out which ones to prioritize. Just because an issue is bad doesn’t mean it will be catastrophic across the board. Consider the threat model—would this bug lead to a physical safety issue or a socially uncomfortable situation?

Apple has tried to set itself apart from rivals like Google and Facebook by emphasizing all the things it has done to preserve user privacy. However, this is the second privacy issue with the relatively new Group FaceTime feature—in November, it turned out it was possible to bypass the lockscreen to gain access to contacts saved on the device. While each of these missteps is small, they slowly add up and erode trust.

There’s not much iOS and Mac users can do until Apple releases the software update, but the good news is that because Group FaceTime is disabled, someone can’t abuse the bug, either. When the update lands, update iOS devices and Macs. If there is going to be a delay in applying the software fix, at least disable FaceTime.

“iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you isntall it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off,” Rob Joyce, the senior adviser for cybersecurity strategy at the National Security Agency, wrote on Twitter.