If you have recently used Apple’s group FaceTime video chat, you may have inadvertently let people eavesdrop on you. A bug in the new group chat function allowed callers to remotely activate the microphone on another person’s iPhone, iPad or Mac for a limited time without that person’s knowledge, and hear whatever sounds the microphone picked up.
How the bug worked
Taking advantage of the bug was easy to do and didn’t need any expertise. You simply had to start a FaceTime call with a contact, then before the contact picked up, start a group call. You then added your own phone number to the call which allowed you to hear the audio of the person you called before they picked up.
Once you dialled the number you could listen to the audio until the call rang out or was rejected. If the recipient of the call pressed the power button from the lock screen, they would unknowingly send a live video feed to the caller.
This was not a new piece of malware designed by cyber criminals. Rather, it was a design flaw that had not been previously identified in the FaceTime app.
How the bug went viral
After being alerted to the bug by a user, Apple responded by disabling FaceTime and began working on a software update to fix the problem. Yet, despite the company’s response, information about the bug had already gone viral on social media with videos instructing people how to eavesdrop.
This issue serves as a timely reminder about the importance of privacy and security concerns for organisations as well as individuals.
‘It’s critical that organisations continue to educate their managers and staff to be vigilant and understand that different forms of communication offer different levels of security,’ says Daniel Muchow, Risk Logic’s Head of Cyber Security. ‘There is a perception that Apple products maybe more secure, which can make people complacent or overly trusting. Regardless of the technology your organisation uses, it’s good business practice to train staff to be mindful about what they say and to be aware that someone could be eavesdropping at any time. It really comes down to operating from a baseline of zero trust.’
Managing cyber risk
RiskLogic, a leading provider of resilience services to private, public, government and not-for-profit organisations, believes a robust and tailored cyber security response strategy is critical in preventing a data hack or breach. Where appropriate, this strategy should include a focus on application security to detect bugs and vulnerabilities as soon as possible.
With the lightning fast speed of communication through social media and the increasing sophistication of technology, even a small bug can have an immediate and far reaching impact. It’s essential that organisations have a comprehensive cyber security strategy in place, regularly exercise response plans and be prepared for a potential security or privacy breach.
For help developing a cyber response plan or advice on how to make your organisation more resilient, contact RiskLogic today on 1300 731 138