A "purple eye" for Apple: the FaceTime bug shakes faith in iPhone security | Technology


It was the wildest of the prognostics of a tin-plate conspiratorial theorist who came true: the trustworthy and beloved iPhones that accompany users to work, to bed and even to the bathroom suddenly transformed into a device of espionage for all purposes, transmitting audio and video to anyone with your phone number or email.

"This is the nightmare scenario," said Marcus Carey, a cyber security expert and author of Tribe of Hackers. "It stirs up fears of privacy, because that's the same scenario most people fear from the US government and other regimes."

The bug, which was released on Monday, broadcast audio (and, in certain circumstances, video) to a caller, even though the recipient did not accept the call. It was triggered when the initial caller added a third party to a FaceTime call. Although Apple has not yet issued a software patch, the company has disabled FaceTime group chat, preventing users from further exploiting the bug.

But the big flaw in FaceTime has raised concerns about Apple's security practices, just as the company reports disappointing financial results. And reports that a teenager and his mother spent days trying to warn Apple about the problem also raised questions about the company's procedures for receiving reports of vulnerabilities.

Michele Thompson, an Arizona lawyer whose identity was confirmed by the Wall Street Journal, began posting about her son's discovery on Facebook and Twitter on Jan. 20 – eight days before Apple took action.

"My son just found a major flaw in Apple's new iOS, which lets you hear someone else in the vicinity of your iPhone or iPad," Thompson wrote on Facebook. "We have just sent the bug report to Apple and we are waiting to receive a response. We do not provide the details because it's a great security risk, but it's unbelievable that my 14-year-old daughter realized that. "

Thompson made several attempts to warn Apple about the problem, first through social media and then through the company's customer service system, according to the Journal. She eventually went so far as to register as a developer to submit a report through Apple's bug bounty program.

Katie Moussouris, founder of Microsoft's bug bounty program and CEO of Luta Security, said the problem for Apple is not that it did not act fast enough to fix the bug but failed to manage Thompson's expectations about speed with which a bug can be fixed.

"You'd better not hurry," Moussouris said. "You have to do in-depth investigations or else you may have unintended consequences. You do not want people to issue patches that no one trusts or break other things. "

For Apple, the best scenario would be to keep the existence of the vulnerability confidential until the patch was tested and ready, Moussouris explained, a process that could take 30 to 60 days.

"You have to make this balance between meticulousness and time, and in this circumstance there have been misunderstandings that are understandable and an opportunity missed by level-setting expectations," she said.

The fact that a phone call starts streaming audio before the recipient receives it is counter-intuitive to the layperson, but FaceTime was probably designed that way on purpose, according to someone who built a similar system.

Luke Ma, director of product management for video conferencing company BlueJeans Network, explained that software such as FaceTime initiates audio and video connections as soon as the call is made, then mute them until the call is accepted.

"To speed up the connection speed, your call is fully connected as fast as possible and your answer & # 39; basically disables everything, "Ma said.

Or, as Dr. Jonathan Hill, dean of computer science and information systems at Pace University, says, your phone's ability to send audio before replying "is not a bug. It's a feature.

The error itself was probably a "logical mistake," said Dr. Lukasz Olejnik, an independent cyber security and privacy researcher.

"Logical errors make systems behave in unexpected ways," he explained, and may be just the result of supervision. "Apple has one of the best security and privacy teams in the world. This case highlights how adequate security and privacy can be difficult in practice. "

Carey said the FaceTime bug was "a black eye" for a company that does have a strong reputation for security and privacy.

"They will have to be totally transparent about how this bug happened and when it was introduced," Carey said. "They need to release information about whether they can be crawled to see if it has been exploited and should notify customers."

Apple has not responded to numerous Guardian queries requesting additional information about the bug.


Source link