Security Week 06: Live on FaceTime

The main event of last week was a bug in the operating system iOS 12 for Apple mobile devices. The Group FaceTime feature, which allows you to organize a conference call with several users at once, can be used to eavesdrop on what is happening on the subscriber’s side without his knowledge. Later it turned out that Group FaceTime can also be exploited for spying. Although there is little practical benefit from this method, there is a failure in data protection, and Apple has temporarily disabled the ability to create group audio and video calls.

Vulnerability in FaceTime is very similar to dozens of previously discovered and closed ways to bypass the screen lock - in all cases, a security hole is formed at the junction of various iOS elements. Adding group calls to Apple's branded instant messenger first also led to another lock of loxgrin. Back in November, researcher Jose Rodriguez could bypass the blocking like this: we call FaceTime on the victim's phone, answer the call (this can be done without unlocking), trying to add other subscribers to the conversation, which gives access to the phone book. The problem discovered in January was much more serious.

Bypassing Lockscreen on iOS 12.1 looked like this:


Technology Group FaceTime was announced in June last year in the upcoming release of iOS 12. In late October, the update was made available to all owners of Apple devices. Since then, the company has released three updates of the operating system, covering not only a bug with a bypass of the lock screen, but also several methods of conducting a DoS attack, discovered by Nathalie Silvanovich from the Google Project Zero team. In all cases, denial of service was caused by a prepared video stream sent to the target device via FaceTime. Vulnerabilities affected not only iOS, but also Mac OS.


The latest set of corrections at the time of publication was released on January 22, but the problem with group calls is not yet closed. Presumably, the very first vulnerability was discovered by a 14-year-old gamer. He created a call to FaceTime to play together in Fortnite and found that he heard subscribers talk, although they hadn’t answered the call yet.


In the discussion of the tweet, you can see what happens when you discover a serious vulnerability in iOS: a flock of journalists flies to you. Gamer's mother reported a problem to Apple, and she had to create a developer account to send information about the vulnerability. And the vulnerability looks like this:


Reproducing the problem is very simple. You need to call another subscriber and, while there is a call, create a group call, adding one more participant to it (you can add yourself). Immediately after this, you can hear what is happening on the other side, although the subscriber has not yet answered the call. In more detail, with pictures, the scheme is described here , on Reddit, they confirm that the called subscriber also hears you, although he still did not answer the call. In other words, the microphone and speaker on the devices are activated immediately after creating a conference call, it is not necessary to answer it. Conveniently!


On January 28, they wrote about the problem in the media. On January 29, the vulnerability was distributed to video calls using a similar pattern: you need to add yourself to the collective call, and then respond to this invitation from the second device. In this case, the subscriber-victim without demand also activates the camera. On the same day, Apple temporarily disabled the Group FaceTime service. About a week passed between the initial problem report and the interim solution.

Among the large companies that process a huge amount of sensitive information, Apple is considered one of the most reliable. Such an incident is a serious blow to reputation, although it doesn’t seem to be much different from other information leaks. There was a problem, the problem was solved, and if someone wanted to take advantage of the vulnerability, then such a possibility existed for about 24 hours. Unlike data access problems with Facebook, Google or Twitter, it was hardly possible to use the Group FaceTime problem on a large scale. Nevertheless, unauthorized access to the microphone and camera in any form will always be perceived as a serious problem, although it is precisely the cases of massive personal information falling into the hands of incomprehensible people and organizations, for a long time and without any possibility of control. .


Speaking of mass and long. The story of the leak of a giant database of logins and passwords last week was continued . Leaked in mid-January, Collection # 1 was only part of an even larger database of seven archives. The total amount of data is close to terabyte. This, of course, is an impressive stock of once-private information, but by and large it doesn’t change anything - switching to the use of strong, one-time, regularly updated passwords with two-factor authentication is necessary regardless of the size of the leaks.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.