The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.
So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.
But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.
The first report of this bug came from a complete rando. Twitter user @MGT7500 first posted about this bug a mere nine days ago to Apple support, then posted about it on Twitter:
That’s it. That’s the responsible disclosure. We’ve heard stories about random people on the Internet finding security flaws that make the heads of people running Trillion-dollar companies burst into flames, but here’s the evidence, rendered in tweet form. Additionally, [MGT7] also emailed Apple, Fox News (not an affiliate), CNBC, CNN, and 9to5Mac about this security flaw. There was no response until 9to5Mac ran the story eight days later.
If a random person on the Internet finds a security vulnerability, what should they do? This is in the hacker and infosec realm, so the most common advice is to request a CVE, contact the parties involved (in this case, Apple, and the best email to reach them is the twenty first link on this page), and negotiate a time after which the vulnerability will be disclosed. This is called responsible disclosure. You might want to check into bug bounties, because there might be a cash award. Alternatively, you could reach out to security researchers investigating the same platforms, and see if they could use their pull on Twitter to focus attention on the problem. If that security researcher is honest, you may even be the PI on whatever paper that would come out of your discovery.
A random person on the Internet isn’t an infosec expert. The random person on the Internet simply wants things fixed, and in this case [MGT7] did exactly the right thing: they emailed Apple Support, including registering as a developer and going through the right channels. This reporting process should be easier, more obvious, and the response should be swift.
We have a new hero in the infosec world. It’s a Twitter account that’s been around for a few months, has opinions about college football in Arizona, and is still using the default avatar. Whoever [MGT7] is, we’re going to say they’re the best example of what you should do if you ever find a security flaw: find an email address on the company’s page for the security team. Email them, and sit back and wait. That’s all you need to know. It’s also the complete opposite of what security researchers suggest, and this is a failing of the entire community.