Credit to Author: Lily Hay Newman| Date: Thu, 07 Feb 2019 18:11:05 +0000
Apple just released the patch for its terrible Group FaceTime eavesdropping bug. You should go install it as soon as it hits your iPhone or iPad.
The privacy-eroding flaw in Apple's calling platform set the internet ablaze this week with warnings and advice on how users should protect themselves. New York state attorney general Letitia James even launched a probe in response. The bug allowed users to activate the microphone—and even the camera—on any phone they were calling through FaceTime and listen in before the recipient picked up. In response to public outcry, Apple took the radical step of disabling group FaceTime entirely until it could release its fix. A week later, that update has now arrived.
"We sincerely apologize to our customers who were affected and all who were concerned about this security issue," Apple said in a statement last week. "We appreciate everyone’s patience as we complete this process."
The update has only just started rolling out, so don't panic if you don't see it yet. To install the update, if iOS doesn't prompt you to death first, go to Settings > General > Software Update. Choose Download and Install, and follow the cues from there. Your device needs to have at least 50 percent battery, or be plugged in. You can also plug your iPhone or iPad into your computer (no judgement, some people still do this) and download the update through iTunes.
"Yes, definitely install the update," says Patrick Wardle, cofounder of Digita Security. "I'm optimistic that this will finally encourage Apple to improve their approach, because at the end of the day, Apple cares most about its stock price and sales. When security threatens that, then it becomes a priority, so win-win."
"It seems inexcusable that Apple allows this and many other bugs to make it into production code."
Patrick Wardle, Digita Security
The bug stemmed from a logic issue with FaceTime's group calling feature, which Apple introduced at the end of 2018 as part of launching its new iOS 12 mobile operating system. After dealing with a series of terrifyingly dumb iOS and macOS bugs in 2017, Apple took a rebuilding year, focusing on unglamorous stability improvements for Mojave and iOS 12 rather than its usual array of flashy new features. The strategy has been successful for the company in the past, producing some of its most beloved operating systems, like Snow Leopard, the 2011 version of OS X.
That also meant that group video and audio calls were one of the few marquee features of iOS 12. FaceTime calls are end-to-end encrypted, meaning they are only intelligible on devices participating in the call. And while end-to-end encrypted calling has gotten easier to implement and more reliable, it's still difficult to guarantee it on the scale of a platform like FaceTime—especially for group calls that have multiple participants. It took years to get encrypted group FaceTime chats right; the fact that Apple then had to temporarily disable it over a privacy bug is a big setback. The company also received blowback over reports that an Arizona teenager had warned Apple about the flaw days before it reacted publicly.
"What concerns me is the fact that there's evidence that this was reported to Apple beforehand," says Thomas Reed, director of Mac and mobile at security firm Malwarebytes. "I know and respect the folks in Product Security, but I wonder if there was some resistance from higher up to shutting down the service."
Apple's string of security gaffes has become increasingly problematic as the company continues to tout its safety and privacy bona fides. And, more importantly, the bugs put user data at risk. While perfection is impossible, Apple seems to be making increasingly avoidable mistakes.
"Any software is going to have bugs," Wardle says. "However, it seems inexcusable that Apple allows this and many other bugs to make it into production code. They clearly have the time and resources to perform sufficient quality and assurance testing, but often they choose usability and getting features to market over security and comprehensive testing. There have been other similar bugs where we are all left scratching our heads."
At least Apple still has the power to easily distribute updates to its devices and achieve broad adoption. (Android, not so much.) So if you own an iPhone or iPad, take advantage and install the patch ASAP.