A Teenager Tried To Warn Apple About It's Facetime Security Flaw, But Appears To Have Been Ignored

from the go-to-voicemail dept

By now, you've almost certainly heard about the latest big technology security flaw, in which Apple's FaceTime feature contains a bug that allows a caller using FaceTime to hear through the recipeient's phone while the call was still ringing. This obviously has all kinds of people all kinds of freaked out, since the bug essentially turns any iPhone into a short-burst surveillance bug. This has led some to opine that Apple, which has a fairly decent reputation from a privacy standpoint, is at risk of having that reputation torpedoed over this story.

And that might be all the more the case when the public discovers that Apple was informed of this bug by a teenager and his mother in the weeks running up to the press coverage of it, and did nothing about it.

The Wall Street Journal reports that Grant Thompson, from Tucson, was “setting up a FaceTime chat with friends ahead of a ‘Fortnite’ videogame-playing session when he stumbled on the bug”. It was then that Thompson noticed that he could hear audio from friends who had yet to join the call. Grant quickly told his mother, Michele, and the pair spent a week trying to contact Apple to warn them about the issue.

The WSJ say after some calls and faxes they “eventually traded a few emails” with Apple’s security team, but it wasn’t until reports of the bug blew up on Twitter that the decision was made to disable Group Facetime.

This apparently happened a week or so before this all exploded on Twitter and in the media. We've heard stories like this in the past, of course, but it always amazes me that tech companies aren't better about having a unified message across entire companies that staff should want to report this sort of thing up the hierarchy, and those high-ups should jump on addressing these reports both quickly and publicly. Imagine a world where Apple had lauded this teenager for informing the company about the bug and in which Apple had proactively disabled group FaceTime until the bug was resolved? Apple would have come out looking, once again, as though it were looking out for the privacy interests of its users.

Instead, it sure looks like the company was hoping to stick its head in the sand and pretend the bug didn't exist. Or, more charitably, perhaps the company thought it could simply do away with the bug quietly via an update with vague patchlist notes. Either way, it's not a great look.

Filed Under: facetime, grant thompson, security, security disclosure, warning
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mason Wheeler (profile), 31 Jan 2019 @ 1:04pm

    By iDiots, for iDiots. So glad my wife and I use Android phones instead.

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 31 Jan 2019 @ 1:48pm

    Never attribute to malice...

    More like the right folks didn't hear about it for a while. Mom gets a different level of attention than if a known vulnerability research would have made the call. You have to imagine that every tech firm gets their fair share of cranks making bogus claims about vulnerabilities.

    Why, just last night my phone's Facebook app was beaming political messages into my brain while I slept!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2019 @ 1:50pm

    By iDiots, for iDiots. So glad my wife and I use Android phones instead.

    Cut the smart phone. Dumb tablet and old flip phone without gps is a better product.

    reply to this | link to this | view in chronology ]

  • identicon
    Ven, 31 Jan 2019 @ 1:58pm

    Customer Service scripts are designed to pigeonhole users

    I'd be they called up the normal front facing customer service and got the whole, turn it off and on again spiel. Apple has been better about having actual trained people involved in customer support, but even they have a first level wall of untrained script reading bots (human or software) to filter people into the right buckets before sending them on the the people with the right knowledge.

    If the script they give to these front line people doesn't include a way to filter the call into the "security issue" or "privacy leak" buckets then it will drop them off into some meaningless phone menu hell.

    This is one more symptom of companies not planning for security issues to happen unexpectedly. If no one with agency thinks to include something like this in customer service scripts and no agency is given to the actual front line script readers then there is no way to easily move real security issues up the chain.

    reply to this | link to this | view in chronology ]

    • icon
      Black Bellamy (profile), 31 Jan 2019 @ 3:46pm

      Re: Customer Service scripts are designed to pigeonhole users

      The story says they made phone calls and faxes until they started trading emails with the security team. While it doesn't go into further detail (I would love to see those emails) it does indicate they got past level one support.

      To reproduce the issue is three easy steps. 9to5mac.com was able to do it no problem. So this looks like someone on the security team or above made a call not to shut off Facetime while they worked on a fix. Meanwhile it blew up all over Twitter so they had to shut it down before the fix came out.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Feb 2019 @ 10:05am

      Re: Customer Service scripts are designed to pigeonhole users

      If no one with agency thinks to include something like this in customer service scripts and no agency is given to the actual front line script readers then there is no way to easily move real security issues up the chain.

      They need to add a shibboleet option.

      Ever tried to report a BIOS bug to someone? I found it impossible, almost exactly like in that comic (the laptop vendor wanted to debug Windows, which wasn't running; the problem happened before any OS was running).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2019 @ 2:03pm

    The story(and original source) is light on details. If Grant and his mother were unable to provide steps to reproduce the bug, then this would not be a high priority issue. The reason is without reproduction instructions the report could be mistaken, some insane alpha particle flipped a bit thing, or even a malicious false report. System logs for Apple to dig through can be enabled on iOS, but that doesn't do any good if you never reproduce the bug.

    Now if Apple was given explicit steps to reproduce and did nothing, well that's a pretty big egg on their face.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 31 Jan 2019 @ 2:17pm

    And requiring them to sign up for the Apple Developers Program was just a safety measure...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2019 @ 2:31pm

    That mom and teen are just lucky that the FBI didn't show up to their house to take all of their electronics and arrest them for hacking.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jan 2019 @ 3:29pm

      Re:

      That mom and teen are just lucky that the FBI didn't show up to their house…

      That happens next week, after the media coverage has died down somewhat. The FBI shows up at their house next week.

      Since the kid's a "hacker" he gets the 29-agent, 17-vehicle with two amphibious tanks, one helicopter with SWAT rappelling onto the roof, and multiple flash-bang treatment — the treatment that was absolutely not pioneered with CNN's coverage of the Roger Stone arrest. Pretty much par for the course when it comes to "hacker" arrests.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Feb 2019 @ 10:07am

        Re: Re:

        Plus they'll take any cash and anything that looks electronic. I hope they're keeping a backup non-electronic thermostat around, it's cold outside...

        reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 1 Feb 2019 @ 12:10am

      Re:

      I'd like to vote your comment funny, I really would, but given some of the stories that have been on TD in the past I find myself forced to hit insightful/'Sad but true' instead.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 31 Jan 2019 @ 3:33pm

    And Apple would have gotten away with it, too...

    If it weren't for the pesky kid.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 31 Jan 2019 @ 4:55pm

    I'm sure the FBI will be raiding his house shortly.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2019 @ 6:04pm

    Techdirt headlines next week: Apple sues teenager, mother, for creating FaceTime security flaw

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Feb 2019 @ 1:34am

    Apple has been using this "bug" in Facetime to spy on rival companies, steal their ideas etc. Ever noticed how "co-incidentally" Apple has filed a large number of patents JUST before a rival company?

    The UK government has recently changed most of its staff to use iPhones. Apple also using this bug to spy on Brexit negotiations, so they can again "co-incidentally" invest in the stock market based on government private discussions, as they then know which companies will get new contracts etc.

    It's insider trading all the way from Tim Cook on down it appears.

    reply to this | link to this | view in chronology ]

  • icon
    Jinxed Violynne (profile), 1 Feb 2019 @ 4:52am

    I'm just waiting for the news Apples sues the teenager using the CFAA.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Feb 2019 @ 5:24am

    Ok, YOU are the Facetime product manager at Apple ...

    Assume that the issue filters to you as product manager two days after first contact with the "help desk".

    You talk to the developers and its 15 working days to design, implement and test a fix, or you can shut down group chat which would affect millions of users.

    What would you do?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Feb 2019 @ 10:03am

    The government sure would have loved to have such a plausibly deniable "flaw" in Apple's tech. I'm not much for tinfoil-hat stuff usually but...

    reply to this | link to this | view in chronology ]

  • identicon
    H, 4 Feb 2019 @ 3:56pm

    "A Teenager Tried To Warn Apple About It's Facetime Security Flaw"

    A third grade teacher tried to remind her students that if they can't learn basic English, people would make fun of them when they grew up.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 4 Feb 2019 @ 4:26pm

    Comparisons

    "A Teenager Tried To Warn Apple About It's Facetime Security Flaw"

    A third grade teacher tried to remind her students that if they can't learn basic English, people would make fun of them when they grew up.

    From this juxtaposition we can infer Apple has the maturity and attention span of a classroom of nine-year-olds.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.