Is Apple’s FaceTime bug a security wake-up call?

credit iStock/AndreyPopov

For many years now, one of the biggest arguments used by Apple fans in favour of the platform is its security. Certainly when compared with Windows, the volume of malware and other issues aimed at MacOS has traditionally been lower, and the company's much tighter grip on its mobile App Store as opposed to Google's more open approach has left it less susceptible to mobile malware.

But 'more secure' doesn't mean 'completely secure' and even if malware authors tend to focus their attention elsewhere, there will always be bugs and other vulnerabilities that can pose potential security issues. And that has been illustrated clearly this week, with the news of a flaw in the firm's FaceTime video chat app.

A way to eavesdrop

Announced on Monday (January 28th), the bug enables users who attempt to initiate a Group FaceTime call to receive audio – and in some cases video – from the other person before they pick up, and even briefly if the recipient declines the call.

This is triggered when someone tries to add a third person to a call already in progress and 
could therefore allow people to briefly eavesdrop on unsuspecting users. According to security experts, it was likely the result of design choices made during the development process that initiate the phone's mic and camera as soon as a call is placed, rather than when it is accepted, in order to improve the speed of the connection. 

Apple's problems may also have been compounded by its respond to the issue. It was revealed that the vulnerability had been discovered not by a professional security researcher, but by a 14-year-old boy in Arizona who had been trying to arrange a group chat to discuss Fortnite.

His mother explained to the Wall Street Journal how she had tried for over a week to contact Apple through the firm's customer service channels to inform them about the issue, before a separate researcher found the same issue and publicised it on 9to5Mac.com, but received no response. 

The implications for Apple's privacy?

While some experts have suggested the bug is of limited value to hackers, as the connection is only live for a short time and there will be a full record of the call, it still marked a big blow to Apple's efforts to promote the privacy of its services. 

Indeed, just a couple of weeks ago, during this year's Consumer Electronics Show in Las Vegas, the firm unveiled a huge 13-storey billboard declaring "what happens on your iPhone, stays on your iPhone" with a link to its privacy page. This was a message many interpreted as a shot at the likes of Google and Amazon, which have faced scrutiny about how they share their users' data.

It also raises further questions about the safety and security of Apple's products as a whole. Patrick Wardle, the co-founder of Digital Security, which focuses on Apple-related security, told the New York Times that it is concerning that such a bug would have made it through Apple's supposedly-rigid quality assurance assessments.

He said: "If these kinds of bugs are slipping through, you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught." He added that this is the type of bug that ought to have been spotted in development, and "where there’s smoke, there’s almost always fire”.