Apple's FaceTime Bug

CVE-2019-6223

What happened

Last week Apple patched a bug that was found in it’s FaceTime app. The bug allowed others to arbitrarily FaceTime other users with iOS (Apple’s proprietary operating system) and listen in on what was going on around them without their knowledge.

According to reports the bug existed in the Group FaceTime feature on iPad Air, iPod touch 6th gen and iPhone 5 and up. Teenager Grant Thompson discovered the flaw on the devices which allowed an attacker to take advantage of the way FaceTime calls are initiated. Grant was credited by Apple for discovering the bug and said they would reward him by contributing financially towards his education.

Why it matters

It is unknown how long this bug has existed. During the time that it was around anybody could use someone else’s phone as an eavesdropping device. What is interesting is that about a month ago I had a conversation with someone who was furious for being sent to jail because he violated a restraining order. He said a conversation of his was recorded from his iPhone’s FaceTime app and was used by his ex wife in court. At the time I thought what he was saying was ludicrous. After hearing about this bug I find myself questioning my doubtfulness.

These types of events, however coincidental, can lead to serious privacy concerns. While Apple was performing their security audit they found other bugs including another flaw in the FaceTime software which involved the the Live Photos feature and a memory corruption problem which allowed privilege escalation. Apple has since patched these security vulnerabilities.

Advertisements