Apple's recently surfaced Group FaceTime bug showcases the need for IT pros to be paying as close attention to mobile OS patching practices as they do (or, hopefully do) to patching desktop, server and other platforms.
Apple fixed two serious security flaws by making available its latest iOS release, 12.1.4, which also restores the ability to run Group FaceTime. The upgrade addressed a bug that allowed a FaceTime caller to see and hear a recipient before he or she even picked up, potentially allowing someone to eavesdrop on conversations without notice.
“IT leaders should look to ensure OS updates are applied and enterprise devices are continually patched,” says Marco Nielsen, vice president of managed mobility at Stratix. “This shows the importance for IT departments to develop processes to manage and secure their devices with the constantly changing technology landscape.”
Nielsen says Apple does a commendable job of patching and upgrading its OS. Yet, in this case, the tech giant didn’t realize it had a problem. The vulnerability was discovered by a 14-year-old--Grant Thompson, of Tucson, Ariz.--who was calling friends ahead of a Fortnite game and realized he could hear a FaceTime caller before the call was accepted. His mother attempted to reach out to Apple to report the bug but finally went to Twitter to publicize the issue. She finally got Apple’s attention by tagging the @AppleSupport feed.
House Energy and Commerce Chairman Frank Pallone Jr. (D-N.J.) and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-Ill.) were also unimpressed with Apple's response. They sent a letter to Apple CEO Tim Cook calling for more information about user privacy and asking whether there are more bugs that are known but haven’t been fixed.
“As a first step, we believe it is important for Apple to be transparent about its investigation into the Group FaceTime vulnerability and the steps it is taking to protect consumers’ privacy,” the letter said. “To date, we do not believe Apple has been as transparent as this serious issue requires.”
Apple said in a statement: “We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.”
The iOS release also squashed other bugs and was made available for iPhone 5s and later, as well iPad Air and later and the sixth generation iPod touch and later. The next interim upgrade should be iOS 12.2 , which is in beta. The company also updated its desktop macOS to 10.14 Mojave.
“Today's software update fixes the security bug in Group FaceTime,” the company said in a statement. “We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security.”
That's all well and good, but the Group FaceTime bug is no doubt one of many lurking beneath the applications in use in the enterprise--be they software platforms or mobile apps.
"In the case of this particular Apple iOS FaceTime listening vulnerability, it appears that risk is mitigated by the fact that listening is or was only possible while the phone was ringing," says Mike Price, chief technology officer at ZeroFOX. "That said, there's at least some risk, and the presence of the bug lends credence to the idea that there may be other, more severe bugs like this out there, waiting to be discovered."