Update: Update is out. iOS 12.1.4 addresses this bug as well as another security issue that Apple found while auditing the code for FaceTime.
On Monday night (January 28), talk of a serious Group FaceTime bug hit the internet in a big way.
If a would-be attacker used a specific set of steps that were not typical for a regular FaceTime call, they could activate the call recipient’s microphone on their iPhone (or, presumably, iPad) without them answering the call. There was an extra privacy concern that if the recipient of the call declined the request, their camera was mistakenly activated as well, even if the phone looked like it was asleep.
There is no indication this bug was exploited maliciously, and it appears to have been reported to Apple at least a week and a half before the explosion of attention on January 28. Moving quickly once this story went public, Apple shut off Group FaceTime (a new feature that was introduced with iOS 12 this fall), effectively blocking this exploit from being used. In all, the bug was active for about 2-3 hours with a large audience, as Apple presumably scrambled to find a way to quickly fix it.
Immediately, Apple put out a press release saying that a permanent fix for this bug would be coming later this week, and shutting off Group FaceTime has mitigated the problems associated with the bug until the fix is released.
Unfortunately, because the news is effectively entertainment now, the following evening (Tuesday), local news, all the way up to late-night comedy shows, all talked breathlessly about the story, and at least from what I heard, none mentioned that the offending problem has been completely disabled until a proper fix is in place. In other words, the window when anybody at any scale could have been harmed by this was exceptionally small, only a few hours at most.
Now, though, the viral story of ‘Turn Off FaceTime’ will circulate for years, even though in my opinion it’s probably one of the very best ways for a group of Apple device users to communicate with audio/video, and even when the feature is fixed, there will be no news stories saying ‘You Can Turn FaceTime Back On Now’, even though after Monday evening, there was no need to turn it off.
There are a few big lessons I take away from this:
- Basically every news story is as well-researched as the one you know the intimate details about beforehand (not at all well-researched). Take them with a grain of salt.
- Every piece of software has bugs and flaws at some point in its development cycle. Obviously, big flashy bugs like this are a BIG deal, but it’s a reality of software that they will come up. The best thing you can do as a developer is to put systems in place to be able to deal with them quickly, and in my opinion, Apple’s ability to pull the plug on Group FaceTime without taking the entire system down is an example of good design.
- Don’t take your privacy for granted. People are going to see this story and turn off FaceTime because this was a huge privacy issue. However, I promise you that there are much bigger and more severe privacy violations going on at huge companies around the world right now, and because it is status quo, we all kind of just give them a pass. You should ‘audit’ the programs you use from time to time, and if you’re able, do some research on the privacy over-reaches of companies like Facebook. You’d be surprised the kinds of things they are caught doing on an ongoing basis, but it’s not a news story for some reason.
So, I didn’t turn FaceTime off, and unless something changes, I don’t think you need to either (if you didn’t already). If you’re paranoid about being watched/heard in your home, FaceTime is far from your biggest concern (this bug is no longer a risk as it stands today).
Humans are flawed, so it stands to reason that the software we create isn’t always perfect either. But writing off technology because of one viral news story is harmful to all of us, because the news can’t, and doesn’t, cover everything.
Please, don’t turn off FaceTime and vow never to trust it again because of this story. Your privacy is, and always will be, at risk, but that doesn’t make this particular piece of software the problem.