SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 123: Longtime Listener, FaceTime Caller

Posted on January 31, 2019

One story today… with lots of little stories nestled inside… Longtime Listener, FaceTime Caller… time to hit the Checklist.


Usually, we bring you a few stories each week — a tour of the headlines, so to speak, to break down what’s going on and what you need to know about online security and privacy. Sometimes, though, we encounter a story so big or important that it dominates our discussion for the week. In today’s episode, that’s precisely the scenario we’re dealing with — and you may have heard about the story already, too.

For many people, “Apple” and “privacy” are synonymous. Apple is supposed to be the one big tech company that really cares about its user security, right? That’s why the Group FaceTime bug that exploded into the headlines across the web this past Monday, from tech blogs to the New York Times, is such a unique situation. It’s not just an embarrassing bug; it’s a serious privacy flaw. With the ability to call someone and hear their audio even if they don’t answer your call, it’s enough to give anyone pause — and it was shockingly easy to execute, too. 

So, for this week, there’s only one major item on our list to check off; let’s get to the bottom of what’s up with this stumble from Apple. Along the way, though, we’ll also take a look at another story from this week… involving Facebook, of course. Would it truly be an episode of The Checklist without more news about FB?

Longtime Listener, FaceTime Caller

So how did the FaceTime bug work? Keep in mind that while we aren’t suggesting you try it, and gcan’t be triggered anymore, it is essential to understand just how simple it was for someone to take advantage of the loophole. According to MacRumors, these are the steps:

  1. Start a FaceTime call. 
  2. Swipe “up” to activate the Group FaceTime feature, “Add a Person.”
  3. Tap on “Add a Person.”
  4. Add your phone number and connect.


Following these steps causes the initial call between your phone and someone else’s to connect immediately, even if they haven’t answered. With plenty of videos floating around on the web, it’s easy to see the bug in action before Apple turned off Group FaceTime. Both users can then hear one another — though if you’re silent, there’s a good chance the other party won’t even know you’re eavesdropping. The good news is that if a user declines the call before you can add yourself, the bug won’t work.

However, it’s not hard to imagine ways in which others, perhaps with less than innocent intentions, could exploit this. Someone might be away from their phone, or avoiding the call by merely allowing it to ring without answering. The latter of these is especially commonplace. More importantly, this has a widespread effect because iPhones aren’t the only devices in the Apple ecosystem to feature Group FaceTime. Macs and iPads, too, will likely need software patches to fix the problem. While Apple has disabled Group FaceTime servers, ensuring no one else can exploit the issue before a patch is issued, we all know how difficult it can be to ensure that your users indeed update and apply the fix.

How Could This Happen?

Some bugs are to be expected. Group FaceTime has had a rocky rollout since its original announcement at 2018’s WWDC. First slated for a release in iOS 12, Apple did not release the feature until the first incremental update, iOS 12.1 — a bit of an unusual event for the company. That was followed shortly after that by a FaceTime-linked lock screen bypass for which they had to issue a fix quickly as well.

So, what about this exploit — how could so glaring a privacy flaw end up in the app? The current working theory is that there is something wrong in the way iOS handles the transition from a 1-on-1 FaceTime call to a group FaceTime call. In a group call, the users already chatting with one another shouldn’t need to press “Accept” on a call dialogue again when adding a third person to the chat — it wouldn’t make sense. FaceTime may assume that because a user wants to add a third party to the call, the initial callers must already have made a connection. 

Thus, FaceTime is simply missing a step to check that the original call was allowed. It likely wasn’t easy to convert the feature into a group chat, so some bugs are normal and perhaps even expected. The issue at play here has come to focus more on Apple’s response — or rather, an initial lack of response. More on that later, though.

Who Found the Bug?

We often report on stories where enterprising security researchers and freelancers uncover serious bugs and go public with the information, hoping to spur a fix. So, who was the lucky one to reveal this one? Well, it wasn’t a professional or a government, or even really anyone you might expect — it was a teenager. 

This teen wanted to play some Fortnite with his friends and FaceTimed a buddy to ask if he wanted to play a round. His friend didn’t pick up right away, and while waiting, he decided to add a third person to see if they’d like to play. Immediately upon doing so, the initial call connected. Thus, the bug was discovered, ultimately leading to the realization that one could simply add themselves to exploit the flaw immediately. Given that this was only just discovered, it’s likely this has been out there on all our devices since Group FaceTime was released eseveral months ago.

Initially, the only way to avoid being susceptible to the exploit was to turn off FaceTime on your device altogether. That’s no longer necessary, now. If all this has you a little worried, though, you might like to consider checking out an app we discussed back in Checklist 114, where we discussed a feature found in 2018 MacBooks. We learned from Business Insider at the time that when users closed their MacBook lids, the system would physically disconnect the microphone to disallow eavesdropping. 

There’s no way to get that same protection when the lid is open, though, so we suggested checking out an app called “Oversight” that will pop up a helpful notification when your microphone suddenly turns on without your permission. Of course, the average user likely won’t end up targeted by someone trying to listen in, but given how easy this bug was to exploit, some may find they enjoy better peace of mind — at least on their Macs — with an app such as Oversight. 

Shortly after the news hit the tech websites, Apple had a response, saying it was aware of the problem and would have a fix forthcoming within the week. By late Monday night, the Cupertino giant also disabled the Group FaceTime servers so no one else could use the exploit during patch development. While that’s all well and good, there’s another side to the story: apparently, Apple potentially knew about the issue for an entire week before disabling Group FaceTime. At least, the potential to know was there: the mother of the teenager who discovered the bug apparently reported the problem multiple times.

She tweeted:

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews

This tweet was posted on the 20th of January — and we heard nothing about it until the 28th of January. 

Apple’s security team is, generally speaking, an excellent bunch of professionals who remain on the ball with quickly developing patches as needed. Unfortunately, there is an ongoing problem with an inability to reach the right people. Unless you have an inside contact, it’s not easy to raise red flags. Apple must receive tons of bug reports every day, just like any other major company, and triaging those reports is no simple task.

With all that said, the teen’s mother took more steps than the average user might. Not only did she send emails to multiple Apple accounts, but at one point she was directed to sign up for a developer’s account (a $99 cost) to submit a bug report. The fact that she went through so many steps and jumped through so many hoops with no response from anyone inside Apple shows a worrying disconnect in their internal systems. As a result, the right information didn’t get to the right people in time, resulting in a fresh firestorm of bad press.

Hopefully, we will see some improvements in the way Apple handles bug reports following these developments.

Facebook Sidesteps the App Store – and Gets Smacked Down

Facebook’s bad habits surrounding user information and their vampiric need to suck up as much of it as possible — or to allow others the same opportunity — continue to generate new stories. Remember Onavo Protect? This “Facebook VPN” we discussed a year ago on The Checklist was billed as a way for users to browse securely. However, instead of keeping your info away from prying eyes, Facebook skimmed data about where users went and what they did. That was easy enough, of course, since users sent all their activity straight through Onavo’s servers!

Once that became clear, Apple banned the app from the store and ultimately removed it in August of 2018. Now, though, TechCrunch has a story saying Facebook’s been doing something just as unscrupulous… since 2016! Since then, Facebook has handed out payments of $20 monthly to users as old as 35 and as young as 13 willing to install Facebook’s “research” app. 

Of course, Facebook wasn’t doing this directly. Instead, they used several freelancing platforms to hide their involvement. Referred to internally as “Project Atlas,” the goal was to watch for the development of user trends — and to identify potential business rivals early in the game.

Though we don’t know information Facebook gathered specifically, TechCrunch’s reporting indicates that the company could have potentially received info including:

  • Private social media messages
  • Chats, videos, and photos 
  • Emails and web searches
  • Browser history
  • Location data

In other words, the app is practically an open door for Facebook. To get that level of access, users must accept a custom security certificate for the app. This is a built-in feature that can allow for the circumventing of the App Store, and that’s just what Facebook did. Pitching the app as something the user would test, Facebook was able to avoid key App Store restrictions.

Apple had this to say:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

Apple came down hard on Facebook — exceptionally so, because invalidating the company’s Enterprise certificate meant that not only did the Research app cease working, but so too did any internal apps Facebook uses for development. For some, that’s ground their daily work to a complete halt. Late Thursday (the day of this episode’s release), Apple restored the company’s certificate, but not before waiting several days. It’s good to see such a severe response for what must be one of the most egregious violations of App Store rules in some time, yespecially because it seems there may be other companies engaging in similar tactics. 

While Facebook likely covered themselves legally through whatever license agreement users of Research agreed to, it’s just as likely that users had no idea they were handing over so much information. Given how many of the users were teenagers getting $20 a month just to use their phone, it’s no surprise that the program ran for so long.

If you’re concerned about whether something like this is on your device or a child’s device, Apple does have a helpful how-to online for deleting these certificates. You can also check quickly by going to your iPhone and tapping on General -> Settings -> Profile and Device Management. If you don’t see this option, you’re finished. Otherwise, you can tap “Apps Configuration” profile, and then tap “Delete Profile.” Just make sure you aren’t deleting something important from your employer if you use your phone for work. 

Meanwhile, with an update to FaceTime supposedly on the way, at least we can trust that Apple has “put out the fire,” so to speake. While we can’t know for sure whether anyone had their privacy compromised as a result of the Group FaceTime bug we discussed today, it is a reminder that even features we assume are safe can sometimes have hidden surprises waiting for anyone to discover. You can bet that the next time we have an update on this story, you’ll hear about it right here on The Checklist.

Join our mailing list for the latest security news and deals