main navigation
my pace

The Guardian | PACE UNIVERSITY

News & Events

Sort/Filter

Filter Newsfeed

News Item

"The Guardian" featured Pace University's dean of computer science and information systems Dr. Jonathan Hill in "A 'black eye; for Apple: FaceTime bug shakes faith in iPhone security"

01/30/2019

"The Guardian" featured Pace University's dean of computer science and information systems Dr. Jonathan Hill in "A 'black eye; for Apple: FaceTime bug shakes faith in iPhone security"

Cybersecurity expert sees ‘nightmare scenario’ for company as app allows third parties to eavesdrop

It was a tin-foil hatted conspiracy theorist’s wildest prognostication come true: the trusty and beloved iPhones that accompany users to work, to bed and even to the toilet suddenly transformed into an all-purpose spying device, transmitting audio and video to anyone with your phone number or email.

“This is the nightmare scenario,” said Marcus Carey, a cybersecurity expert and author of Tribe of Hackers. “It does incite privacy fears because this is the same scenario that most people fear from the US government and other regimes.”

The bug, which was publicized Monday, transmitted audio (and, under certain circumstances, video) to a caller despite the recipient not having accepted the call. It was triggered when the initial caller added a third person to a FaceTime call. Though Apple has yet to issue a software patch, the company has disabled group chatting on FaceTime, preventing users from further exploiting the bug.

Advertisement

But the major flaw in FaceTime has raised concerns about Apple’s security practices just as the company reports disappointing financial results. And reports that a teenager and his mother spent days attempting to alert Apple to the problem have also raised questions about the company’s procedures for receiving reports of vulnerabilities.

Michele Thompson, an Arizona attorney whose identity was confirmed by the Wall Street Journal, began posting about her son’s discovery of the bug on Facebook and Twitter on 20 January – eight days before Apple took action.

“My son just found a major flaw in Apple’s new iOS, that allows you to hear another person in the vicinity of their iPhone or iPad,” Thompson wrote on Facebook. “We just submitted the bug report to Apple and are waiting to hear back. We won’t provide the details since it’s a major security risk, but it’s unbelievable that my 14-year-old figured this out.”

Thompson made numerous attempts to alert Apple to the problem, first through social media and later through the company’s customer service system, according to the Journal. She eventually went so far as to register as a developer in order to submit a report through Apple’s bug bounty program.

Katie Moussouris, the founder of Microsoft’s bug bounty program and CEO of Luta Security, said that the problem for Apple was not that it failed to act quickly enough to patch the bug, but that it failed to manage Thompson’s expectations of how quickly a bug can be patched.

“It’s best not to rush,” Moussouris said. “You have to do in-depth investigations or else you can have unintended consequences. You don’t want people issuing patches that no one trusts or that break other things.”

For Apple, the best case scenario would have been to keep the existence of the vulnerability secret until the patch was tested and ready, Moussouris explained, a process that could reasonably take 30 to 60 days.

“You have to do this balance between thoroughness and timing, and in this circumstance there were misunderstandings that are understandable, and a missed opportunity for level-setting expectations,” she said.

That a phone call should start transmitting audio before the recipient picks up is counterintuitive to the lay person, but FaceTime was probably designed that way on purpose, according to someone who has built a similar system.

Luke Ma, the director of product management at video conferencing company BlueJeans Network, explained that software like FaceTime will initiate audio and video connections as soon as the call is made, and then mute them until the call is accepted.

“In order to accelerate speed of connection, your call is fully connected as soon as it can and your ‘answering’ the call basically just un-mutes everything,” Ma said.

Or, as Dr Jonathan Hill, dean of computer science and information systems at Pace University, put it, the ability for your phone to send audio before you answer is “not a bug. It’s a feature.”

Read the full article.