Apple Says It Will Fix The FaceTime Bug That Allows You To Access Someone's iPhone Camera And Microphone Before They Pick Up

Apple said Friday morning that it had a fix for a bug discovered in Apple's video and audio chat service FaceTime this week, which had allowed callers to access the microphone and front-facing video camera of the person they were calling, even if that person hadn't picked up. The security issue is fixed on its servers, the company said, but the iPhone software update to re-enable the feature for users won't be rolled out until next week. From a report: "We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," Apple said in an emailed statement to BuzzFeed News. "We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process."

Re:

[drinkypoo]

Both candidates knew the rules of the games before they played, so fair is fair and like it or not,Trump won fairly.

What? No he didn't. Even if Trump didn't know about it (which is unlikely, but let's posit) his campaign definitely colluded with Russia to manipulate the election illegally. There's nothing fair about that.

Re:

[Oswald McWeany]

Oh, how the mighty have fallen.

I don't know... I get most of my tech news from websites built on the readership of angry vegan teenage lesbians.

Thanks Apple!

[110010001000]

Thanks. It is nice to get these small issues fixed.

-SuperKendall

Is anyone really that supprised?

[jellomizer]

Sure it is a big deal security lapse from Apple. So the received/found the problem, analysis the scope of it, stopped the service, sent out communication about the problem. Now they are applying a fix.

It seems like a responsible course of action.

I am sure people who hate Apple, because they were beaten up by a hipster a few years ago, will still fault Apple, and make them seem like a pile of idiots who cannot code themselves out of a paper bag. But these things happen, I am actually surprised it doesn't happen more often.

I am sure all you programmers out there who are smug that their code never got hacked. But is it really skill, or just being lucky, or your program isn't just that popular enough. It can often just be a bad day where your code has a security flaw in it, and coded so it would be difficult for the QC to find it. However within weeks of it being public it was was found as a problem. I myself never had my coded hacked, however this isn't a reason to pat myself on the back, or be smug and judgemental, as I have fixed things in my own code that could had been bad if I didn't catch it. And I never know what else I may have open.

Re:Is anyone really that supprised?

[110010001000]

I'm not sure how you make a program that accesses the camera and microphone before you click the "answer" button. That is pretty basic stuff.

Re:

[Sponge Bath]

Buggy implementation of backdoors for governments.

Re:

[bobbied]

And what then? You expect to be blackmailed or fired for filling a toilet?

LOL..

Personally, this is much ado about nothing.. The calls would be logged on your device and be limited to about 20 seconds max... However, if one thinks it's a huge risk, then I would ask if you think it's wise to carry a cell phone at all? IF this kind of recording represents a serious security problem for your personal or professional life, you might want to turn off the cell phone and keep it locked in a faraday cage when do

Re:

[chispito]

Any other time when my phone in on my person, I'm going to know when somebody tries a face time call.

You never put your phone on silent? Say, in an important meeting so you are uninterrupted? I mean, there are other times one might not want to be interrupted nor eavesdropped...

Re:

[bobbied]

It may sound unrealistic, but no, I actually do not have my phone on my person most of the time during the business day. I generally set it to forward voice calls to my office phone and power it off. I don't like the distractions it presents.

Also, the only time outside business hours when my phone could ring w/o me knowing it is when I'm asleep as it's on the night stand, on silent being charged. At all other times it's either set to ring, or if on silent it's in my pocket on vibrate.

So, for me, it's no

Re:Is anyone really that supprised?

[sjames]

Congratulations, you are a small minority who couldn't be affected significantly by the bug. Now is the time for you to use your imagination and recognize that you are a small minority in that regard.

Re:

[bobbied]

Really? You have seriously personal discussions within earshot of your phone, but where you'd not know somebody was trying to face time you? AND that 10-20 seconds of this illicit eavesdropping is enough to drastically compromise your business or personal life?

IF all that's true, then I'd strongly recommend you consider just not carrying a cell phone anyway... The risks are obviously too great. Best leave it turned off, or even locked in a faraday cage too if you think this is too risky for you.

Re:

[sjames]

Personally, I don't own an iDevice, so no facetime. But I do have enough imagination to realize that there are people besides me in the world and their circumstances may be different.

Re:

[Solandri]

Agreed that there's nothing surprising about this. I'm not sure what else submitter expected. "Apple announces it will not fix Facetime bug"?

I am sure people who hate Apple, because they were beaten up by a hipster a few years ago, will still fault Apple, and make them seem like a pile of idiots who cannot code themselves out of a paper bag.

I can't speak for everyone. But I hate Apple because they take away your freedom of choice and expression, under the guise of trendiness and security.. In the early

Re: Is anyone really that supprised?

[cyber-vandal]

The only alternative is a giant shady organisation monitoring everything you do online. Not at all Orwellian.

Re:

[sjames]

Mod parent up!

Re:

[chispito]

I am sure all you programmers out there who are smug that their code never got hacked. But is it really skill, or just being lucky, or your program isn't just that popular enough.

I have no opinion of what the bug says about Apple. But, just to clarify here, this was not a case of their product being "hacked." All that was required to exploit it was to dial somebody and, while ringing, add them to an existing group conversation (or something similar).

Re:

[sjames]

A responsible course of action would be to fix the bug by making the client wait for the called party to answer before making the microphone and camera hot no matter what the server says.

Apple says they fixed this on the server. That is, the client still makes the mic hot before you answer, it's just that the server doesn't relay it. No app should transmit your microphone or camera without some affirmative action from you commanding or permitting it. Anything else is irresponsible.

Re:

[LynnwoodRooster]

You're under the false impression that the user owns the phone; the actual owner (Apple) can choose to do with it as it wants, including letting their servers decide when your sensors are active.

Owning the hardware

[sjbe]

You're under the false impression that the user owns the phone; the actual owner (Apple) can choose to do with it as it wants, including letting their servers decide when your sensors are active.

They do own the phone. The hardware is theirs and Apple cannot get it back. The SERVICES and software the phone uses are not owned by the user. They license or subscribe to those and whatever terms come with them. Yes, these are necessary for the device to be useful but that is a separate discussion from who owns the hardware. This is yet another example of why Apple is a software company, not a hardware company. The hardware is just the pretty box through which they sell their software and services.

Re:

[bobbied]

Well, the application already has permission to activate the camera and microphone, otherwise the "server" wouldn't have the ability to cause them to be activated.

So this isn't the fault of the phone or the server. Nor is it the fault of Apple's security model. It's the fault of the face time app. The face time app should never enable the microphone or camera until the user answers the call, regardless of what the server does.

Re:

[dgatwood]

So this isn't the fault of the phone or the server. Nor is it the fault of Apple's security model. It's the fault of the face time app. The face time app should never enable the microphone or camera until the user answers the call, regardless of what the server does.

Chances are that this is something silly, like incorrectly assuming that a group connection request is a new person being added by someone in the group already, who therefore should be connected immediately, while failing to check if the group is actually connected yet.

Still, this makes me seriously question whether Apple’s aggressive push to hire so many junior employees straight out of college is having a major negative impact on their code quality. After all, this required two different teams to w

Re:

[bobbied]

As complex as these applications are and with as many hands involved in development of them, I find it encouraging that they have so few serious bugs..

Where I get that such things shouldn't make it into prime time, the reality is that any large complex development project with as many moving parts as this application has, it's *really* hard to always catch all these things. Hiring inexperienced engineers may be an issue, but even hiring developers with 30 years of development experience in untra-secure env

Re:

[dgatwood]

As complex as these applications are and with as many hands involved in development of them, I find it encouraging that they have so few serious bugs.

I don't. I find it suspicious. When something this serious and easily discoverable (not by hackers, but by end users) makes it out into a released product, I assume that it is just the tip of the iceberg. How many more serious security problems just haven't been discovered yet? And how many of them have been found and are being secretly exploited by groups

Re: On The Servers...

[gnc20]

is it really skill, or just being lucky, or your program isn't just that popular enough. It can often just be a bad day where your code has a security flaw in it https://audacity.onl/ [audacity.onl] https://findmyiphone.onl/ [findmyiphone.onl] https://origin.onl/ [origin.onl]

QC needs some help

[Anonymous Coward]

You know it's bad when a 14 year old with no coding experience discovers a major security flaw bug a multi billion dollar tech company couldn't find, emails it to Apple tech support, then nothing happens for a week till it's headline news. People aren't going to keep buying into this North Korean business model if the prices continue to rise faster than hardware quality and the redeeming quality of security is reduced to being seen as far less secure.

Do they collect?

[bogaboga]

"We thank the Thompson family for reporting the bug.

From all the billions [of dollars] in profit Apple makes, I wonder whether this family will collect. Anyone know?

That mere "thank you" message from Apple is anemic in my opinion.

Re:

[avandesande]

Collect what? They would have to prove harm in a lawsuit.

Re:

[bogaboga]

Collect what? They would have to prove harm in a lawsuit.

Collect a reward in form of cold hard cash.

Apple can surely afford this with zero palpable hit to their bottom line. No need for a lawsuit.

I also think it'd be good publicity if they did pay up something, no?

Re:

[Gilgaron]

Maybe a Bug Bounty, if you give out money for non-policy/predefined reasons the choosy beggars are going to come out of the woodwork.

It's not a bug

[JoeyRox]

It's a predictive video and audio caching algorithm. iOS 13 is rumored to add a feature that will pre-shatter your screen when the accelerometer detects the phone is falling.

What do they want, a cookie?

[spiritplumber]

I don't like to play entitled, but this sort of bug is the sort of bug that you stay up all night to fix immediately.

Re:

[dgatwood]

No, we did fine without group FaceTime for years. This is the sort of bug where there right thing to do is shut it down (as they did) and not turn it back on until they’re certain that they have it right. If that takes a week, fine. If that takes a year, also fine. You do not screw around with these sorts of things.

DO NOT USE

[sjames]

The report on the "fix" reveals a fundamental design flaw. They say they fixed the issue ON THE SERVER.

That means the CLIENT on the phone is expected by design to start sending audio and video as soon as a call comes in (before you answer).

If it was anything like properly designed, the client would never under any circumstances transmit from the mic or the camera unless and until the called party chooses to answer.

Re:

[sjames]

The transfer would still be the server telling a client device to make the mike and camera hot. In that case, the client should more or less park the call until the user affirmatively presses a button in the app ON the receiving client device before it makes mike and camera hot. End of story. There should be no way for the server to make the mic hot for any reason.

Further, the bug demonstrated was a bit different. I call you, then I add someone else to the call and your mike goes hot even if you don't answe

Re:

[bill_mcgonigle]

Important point - thanks.

Really?

[DontBeAMoran]

So a patch for iOS7 for my iPhone 4 will be available soon?