Apple’s FaceTime Bug a Severe and Avoidable Risk to Privacy

A 14-year-old FortNite player discovered and reported a major flaw in one of Apple’s most ballyhooed new features, Group FaceTime. Ironically, it took almost a fortnight for the tech behemoth to respond.

Apple finally disabled Group FaceTime – ironically – on Data Privacy Day. Before they did, though, it was very easy for someone to snoop on you using you Apple device. All they had to do was try to call you, hang up before you answered, and then call someone else. They’d then be connected with you even though you didn’t accept their FaceTime invitation. Without consenting, you’d be broadcasting your audio and video to the other party. Clearly, that’s pretty alarming.

As a software developer who has written plenty of bad code with faulty logic in my career, I can easily see how this bug happened. It’s the kind of mistake I think would make when I haven’t had enough caffeine. The Group FaceTime feature, a shiny and impressive new communications tool, requires some slightly intricate logic to initiate the call and ensure that all invited members have access and no one else does. What must have been missing in their implementation was a step that terminated the connection to any device that did not accept the invitation. Instead, when the initiator then tried to add a different person to the conversation, it accepted, rather than terminated, the unanswered connection while it tried to initiate the next. A simple mistake, but one with dire privacy consequences.

Two things concern me about this incident. First, this bug is the kind that can be easily found in the testing phase. Surely, one of the scenarios for Group FaceTime that Apple should have tested is what happens when one or more of the invitees don’t answer. The fact that this problem didn’t surface during testing suggests to me that they might have skimped on testing in order to meet a tight deadline to push this splashy technology out.

Second, why did it take Apple so long to acknowledge the bug report from the teen and his mother? It seems the reporters went to significant lengths to try to get Apple’s attention. Apple, like many companies, has a bug bounty program through which they pay users to find and report problems with their software. Unfortunately, not as many people seem to be using Apple’s program lately, and that could be because the payouts have been low. Crowdsourcing bug reporting is a smart practice, particularly when it comes to identifying bugs that affect security and privacy, but it’s just for show if people don’t use it or, worse, if the company doesn’t respond to what people report.

The Group FaceTime bug should have been caught in QA. When it wasn’t, it should have been addressed as soon as it was discovered. Apple clearly failed in both respects.

About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University,, You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *