FaceTime Security Flaw Gives Apple a Black Eye: Analysts

The flaw, which compromises user privacy, is still being repaired by Apple after being reported on Jan. 28.

software flaw

Apple's FaceTime video chat app remained out of service Wednesday morning after being temporarily disabled by the company Jan. 28 due to a security flaw that can enable a caller to hear audio from the receiver's end before the call is accepted.

That's not supposed to happen, and not only is it an embarrassing and troubling error for Apple, but it is also a potentially serious threat to its consumer and business users, several mobile IT analysts told eWEEK.

"This is a critical, show-stopping bug that directly impacts Apple's reputation for maintaining user privacy," said Avi Greengart, a mobile analyst with GlobalData. "Whatever impact the temporary shutdown has on consumers and businesses is swamped by the need for Apple to address this quickly."

Because FaceTime is generally more of a consumer product than an enterprise application, the security flaw involving the app is more of a personal security issue than something most businesses need to worry about, said Greengart. "Apple is also expected to fix the bug shortly, and FaceTime is hardly the only video calling app, so the outage should be a temporary inconvenience. But it does highlight the importance for IT of regular security updates for all communications software, not just operating systems."

Another analyst, Charles King of Pund-IT, said the flaw in the FaceTime code is particularly remarkable from both a design and implications standpoint because it doesn't require any special skills to eavesdrop at will on other FaceTime users.

Taking Advantage of the Flaw

To make the flaw occur, a user calls another person with FaceTime and before the other person picks it up, the caller can then swipe up on their display screen and add their own number to the call as a Group FaceTime call. At that very moment, an active call will begin and FaceTime begins immediately sending audio from the receiver's device, even though they have not yet accepted the call. Making the privacy breach worse, the person who is receiving the call has no indication that a call has begun or that FaceTime is transmitting any audio or video.

"It's obviously a serious issue for Apple, and a significant failure for the FaceTime developer team" to have a flaw that requires only a few simple actions to implement it, said King.

That's what makes it so worrisome, he added. "Potentially, the flaw could be used to listen in on private conversations and discussions of every sort, including those of competitors, customers and regulators. If the flaw were implemented on the iPhone of a board of directors meeting, the listener could be privy to a company's deepest secrets."

The big questions are how long the flaw has existed and how many people actually knew about it prior to its exposure, said King. "I'm not sure that those facts will ever be known."

Turning Off FaceTime App Only Option for Now

To prevent the issue from occurring until the vulnerability is fixed, about the only thing that users can do is turn off the FaceTime app on their devices, he said. "Other than that, it's important for individuals and organizations to make certain their phones are regularly updated and that they use recommended security apps and tools."

Users can also opt for other video chat apps in the meantime to deal with the situation, said King.

"It's like something out of 'Mission Impossible' or another far-out espionage film," he said. "That's not to say that other serious phone security issues don't exist. But the simplicity and potential impact of the Apple FaceTime flaw are uncommon in the extreme."

John Jackson, an analyst with IDC, told eWEEK that security flaws like this one are always tough for the companies that have to deal with and resolve them.

"There's never a good time for a company to have a third party expose a software bug that compromises customers' privacy," said Jackson. "The incident is clearly horrific PR that damages the brand, but I think in the end not by much. Apple's customer satisfaction scores are consistently off the charts, so there's plenty of goodwill in the bank and I think it would take more than this—as serious as it is—to materially impact them."

Once the issue is solved in the near future, it will likely be forgotten, said Jackson. "In the end, I think patches will be issued and this will go to the dustbin of history next to Antennagate," when many Apple iPhone 4 handsets suffered from antenna issues in mid-2010 that resulted in poor call quality. Called Antennagate by late Apple CEO Steve Jobs at the time, the problem was the location of the antenna inside the devices, which was solved with an add-on thin rubber case.

FaceTime is an integrated application that is included in Apple's iOS mobile operating system as well as its macOS desktop operating system. Apple has stated that it is aware of the issue and is planning on releasing an update. Apple has also temporarily shut down its Group FaceTime service feature at the back-end server, to help further mitigate the risk. Additionally, until a formal patch is available, Apple users are advised to disable FaceTime on their devices.

Apple did not respond immediately to an inquiry from eWEEK about the status of the FaceTime flaw and its ongoing repairs.