The Group FaceTime Bug: A Privacy Concern for Users and a PR Disaster for Apple

In October, Apple released iOS 12.1 alongside MacOS 10.14.1 and introduced FaceTime group calls. People working for the Silicon Valley giant now probably wish that this particular feature wasn't included in the update. As you probably know, on Monday, a flaw in the group call feature was discovered which led to a bit of a nightmare for the iPhone maker.

The bug was frighteningly easy to exploit. You'd call someone on FaceTime, and while you're waiting for them to pick up, you'd add another person (or your own phone number) to the group call. This would automatically turn on the original recipient's microphone, and you'd be able to hear what's happening around their device. If the recipient decided to silent the call using the power or volume buttons, you'd also see a video stream from their front-facing camera. The victim's phone would continue ringing like normal, and they would have no way of knowing that they're being spied upon.

The bug was bad, but the publicity was worse

It was obviously a major privacy concern, but perhaps the bigger problem came from the fact that the bug wasn't discovered by a security professional. In fact, initially, the source of the news was social media, and it was being spread around by aspiring artists, some of who decided to promote their merchandise after their tweets went viral.

Things would have been much different if the vulnerability had been reported in accordance with the accepted responsible disclosure rules, but this wasn't the case, and, given the circumstances, Apple had no other choice but to take the group call feature offline and to promise that a patch will be available before the end of the week. Obviously, the iPhone maker won't be let off that lightly.

On Wednesday, a lawyer from Houston announced that he is suing Apple because the FaceTime vulnerability allegedly allowed someone to eavesdrop on sworn testimony. Whether or not this really is the case is for the court to decide, but it's fair to say that from a PR standpoint, the whole thing is turning into a bit of a mess. Some more recent news isn't helping.

Was it avoidable?

When the hashtag-heavy tweets and videos started flying around, Apple reacted quickly and took the service offline almost immediately. It later became apparent, however, that it could have known about the bug long before it went viral.

On January 19, a 14-year-old teenager from Arizona was trying to set up a Fortnite online session with his friends when he discovered the vulnerability. He shared his findings with his mother, Michele Thompson, who then tried to inform Apple about the flaw. She tried getting in touch with Apple's support account and Tim Cook on Twitter. She also attempted some of the other channels, including sending a fax, and after a few days, she finally got hold of a representative who told her that she must register as a developer and file a bug report. Apparently, on January 25, three days before the news broke, she filmed a video of her and her son exploiting the vulnerability and sent it Apple's way. She claims that she never heard back from the iDevice vendor.

We have to take a balanced approach here. There are more than 1 billion Apple devices in use at the moment, and you can imagine how many bug reports Cupertino's people receive every day. You can also imagine how many of them are a complete waste of time, especially when they're filed by average users who are not always aware of how the technology works.

By her own admission, Michele Thompson fits this profile rather well, and the screenshots of her emails show that her initial reports probably weren't up to the highest standard. Yet, we mustn't discount the fact that she had a genuine vulnerability that put quite a lot of people at risk. Evidence suggests that she had it before anyone else, and in the end, Apple simply didn't react quickly enough.