Whilst this is a serious issue to be sure, the "Tim Cook must go" vitriol never ceases to amaze me from the trolls that IMMEDIATELY thunder onto Apple sites to litter the comment sections. You people need to get a life...
Yes, this is a BAD bug, no question about it, and it's one that will haunt them for a while, and should've been caught during development, especially considering how long Group FaceTime was delayed for.
But in the end, Apple quickly acknowledged it, and even went as far as to shut down the offending system to prevent this from becoming an actual issue.
And yet now we have calls all over the Internet to have Tim Cook and Jonathan Ive's head's on the proverbial silver platters over this, what idiotic BS!
How many other MASSIVE privacy snafus and monumental bugs made their way into MS and Google products over the years, some of which remain to this day (Stagefight ring a bell?), yet no one calls for those engineers or CEO's heads?
You can think Apple's software quality is currently poor and not be a troll. I think it's currently poor and am a long time supporter who's read this site daily for over a decade because I'm passionate about Apple at its best. I also don't understand the argument that it's ok because it happens to Microsoft and Google? The whole incredible thing about Apple has historically been because they operated at a level where this type of thing very rarely happened. It now quite commonly happens - I'm not looking at this in a vacuum, it's not 'one little thing', it's a developing trend. I don't see how it's 'idiotic' to question whether Tim Cook is the right leader now when he's ultimately responsible for every aspect of the company's performance.
Apple should have high standards, and it actually does. This sort of thing does not commonly happen. If it did, this time would not even be notable. iPhones and the rest of Apple's gear are incredibly complex devices. Add to that millions of people using and misusing them, it is statistically impossible to avoid ever having issues. It's the Law of Large Numbers. Even with that math, these issues are uncommon enough that they get attention when they do happen. Of course you can then subtract out the fairly substantial percentage of 'issues' that get attention but that are in fact overblown nonsense. Think of the release of the first Apple Watch and the furor over the pulse reader not being able to see through ill-placed dark tattoos. It was the End of Times, until it wasn't. Then there was the HomePod release, when the devices were going to leave everyone's furniture everywhere pockmarked with white rings. It was the End of Times again, until it wasn't.
Is this a serious issue? Sure. But unlike the open microphones and cameras on Android and Amazon devices that are actively gathering and selling data, this issue already has a stopgap fix and will likely have a permanent fix in the very near future. It's not o.k. because those devices are worse, but these things don't happen in a vacuum, and I dispute your "developing trend" notion, beyond the statistics inherent in having an increasingly large number of devices in circulation.
It shouldn't have mattered if this particular test was written or not, good engineering practice should have ensured that the mic or camera could _never_ be enabled without active users permission (in this case answering the call).
A nice, simple "experienced engineer's" solution to a problem... that's not really that simple.
The minor flaw in your reasoning lies in the rather obvious fact that for the majority of users, the microphone is ALWAYS ON, with the user's permission. (Hey, Siri, anyone?)
Which switches the issue from simply "enabling" the microphone to under what circumstances is the data stream routed. Further, I'd suspect preliminary streams for video and audio are being setup between all of the participants while the call is being initiated in order to enable "instant" communication and high QOS once the call is actually accepted by all of the parties involved.
So was it "sloppy" engineering or an emergent, unexpected behavior among quite a few highly complex systems?
But hey, let's go with the armchair engineer's solution, especially since it fits so nicely with their preconceptions.
Sorry, but this particular "armchair engineer" has been coding and leading development teams for 20+ years, almost entirely phone and embedded security SW, including the last 8 years doing MFi-certified devices and test equipment for Apple. And yes, the mic and camera subsystems should have been sandboxed and not accessible without user action. Hey Siri is not an exception, it is processed locally, as I'm sure you know.
Whilst this is a serious issue to be sure, the "Tim Cook must go" vitriol never ceases to amaze me from the trolls that IMMEDIATELY thunder onto Apple sites to litter the comment sections. You people need to get a life...
Yes, this is a BAD bug, no question about it, and it's one that will haunt them for a while, and should've been caught during development, especially considering how long Group FaceTime was delayed for.
But in the end, Apple quickly acknowledged it, and even went as far as to shut down the offending system to prevent this from becoming an actual issue.
And yet now we have calls all over the Internet to have Tim Cook and Jonathan Ive's head's on the proverbial silver platters over this, what idiotic BS!
How many other MASSIVE privacy snafus and monumental bugs made their way into MS and Google products over the years, some of which remain to this day (Stagefight ring a bell?), yet no one calls for those engineers or CEO's heads?
You can think Apple's software quality is currently poor and not be a troll. I think it's currently poor and am a long time supporter who's read this site daily for over a decade because I'm passionate about Apple at its best. I also don't understand the argument that it's ok because it happens to Microsoft and Google? The whole incredible thing about Apple has historically been because they operated at a level where this type of thing very rarely happened. It now quite commonly happens - I'm not looking at this in a vacuum, it's not 'one little thing', it's a developing trend. I don't see how it's 'idiotic' to question whether Tim Cook is the right leader now when he's ultimately responsible for every aspect of the company's performance.
Apple should have high standards, and it actually does. This sort of thing does not commonly happen. If it did, this time would not even be notable. iPhones and the rest of Apple's gear are incredibly complex devices. Add to that millions of people using and misusing them, it is statistically impossible to avoid ever having issues. It's the Law of Large Numbers. Even with that math, these issues are uncommon enough that they get attention when they do happen. Of course you can then subtract out the fairly substantial percentage of 'issues' that get attention but that are in fact overblown nonsense. Think of the release of the first Apple Watch and the furor over the pulse reader not being able to see through ill-placed dark tattoos. It was the End of Times, until it wasn't. Then there was the HomePod release, when the devices were going to leave everyone's furniture everywhere pockmarked with white rings. It was the End of Times again, until it wasn't.
Is this a serious issue? Sure. But unlike the open microphones and cameras on Android and Amazon devices that are actively gathering and selling data, this issue already has a stopgap fix and will likely have a permanent fix in the very near future. It's not o.k. because those devices are worse, but these things don't happen in a vacuum, and I dispute your "developing trend" notion, beyond the statistics inherent in having an increasingly large number of devices in circulation.
But this has nothing to do with the number of devices sold - perhaps something like iPads bending due to the manufacturing, you could say when a certain number are sold, some will be faulty - this is a universal software problem that effects 100% of their devices; this has nothing to do with volumes, and everything to do with management. Your suggestion that people 'misusing' their devices? That's the tech equivalent of victim blaming.
Please trust me when I say I'm a huge Apple fan, but surely at this point there's a growing number of people who agree with the argument that Tim Cook must go? I want Apple to thrive but collapsing quality, pace of design, and terrible pricing strategies are now real problems.
I'm sure they are lining up to hear your opinion. Tim Cook has made Apple hundreds of billions of dollars. There is no "collapsing quality." WTF are you talking about? Isolated product issues? And, terrible pricing strategies? Again, WTF are you talking about?
If you head to the homepage of every tech site, including this one, you'll see that Tim Cook himself has now explicitly blamed poor sales on terrible pricing strategies. The top end iPhone costs the equivalent of $1850 - that's 'WTF' I'm talking about.
I don't understand the explanation of activating the exploit. "activate the glitch by calling another FaceTime user and manually adding the originating number to the call as a third party." What does that mean? What is an "originating number"?
@danielhall360 ; The whole incredible thing about Apple has historically been because they operated at a level where this type of thing very rarely happened.
But, that's not true. There's never been an era where Apple software was bug free. That's why you're getting called out.
Your suggestion that people 'misusing' their devices? That's the tech equivalent of victim blaming.
Adding yourself to a Group FaceTime chat that you're already in is literally misusing it — and likely why it was picked up in testing.
If you head to the homepage of every tech site, including this one, you'll see that Tim Cook himself has now explicitly blamed poor sales on terrible pricing strategies.
That's not what he explicitly said, though, and nor is it what it says on the homepage of this site.
@welshdog ; I don't understand the explanation of activating the exploit. "activate the glitch by calling another FaceTime user and manually adding the originating number to the call as a third party." What does that mean? What is an "originating number"?
The phone number of the device you're initiating the Group FaceTime chat from, and adding that as an additional participant which of course would be redundant.
Whilst this is a serious issue to be sure, the "Tim Cook must go" vitriol never ceases to amaze me from the trolls that IMMEDIATELY thunder onto Apple sites to litter the comment sections. You people need to get a life...
Yes, this is a BAD bug, no question about it, and it's one that will haunt them for a while, and should've been caught during development, especially considering how long Group FaceTime was delayed for.
But in the end, Apple quickly acknowledged it, and even went as far as to shut down the offending system to prevent this from becoming an actual issue.
And yet now we have calls all over the Internet to have Tim Cook and Jonathan Ive's head's on the proverbial silver platters over this, what idiotic BS!
How many other MASSIVE privacy snafus and monumental bugs made their way into MS and Google products over the years, some of which remain to this day (Stagefight ring a bell?), yet no one calls for those engineers or CEO's heads?
You can think Apple's software quality is currently poor and not be a troll. I think it's currently poor and am a long time supporter who's read this site daily for over a decade because I'm passionate about Apple at its best. I also don't understand the argument that it's ok because it happens to Microsoft and Google? The whole incredible thing about Apple has historically been because they operated at a level where this type of thing very rarely happened. It now quite commonly happens - I'm not looking at this in a vacuum, it's not 'one little thing', it's a developing trend. I don't see how it's 'idiotic' to question whether Tim Cook is the right leader now when he's ultimately responsible for every aspect of the company's performance.
Apple should have high standards, and it actually does. This sort of thing does not commonly happen. If it did, this time would not even be notable. iPhones and the rest of Apple's gear are incredibly complex devices. Add to that millions of people using and misusing them, it is statistically impossible to avoid ever having issues. It's the Law of Large Numbers. Even with that math, these issues are uncommon enough that they get attention when they do happen. Of course you can then subtract out the fairly substantial percentage of 'issues' that get attention but that are in fact overblown nonsense. Think of the release of the first Apple Watch and the furor over the pulse reader not being able to see through ill-placed dark tattoos. It was the End of Times, until it wasn't. Then there was the HomePod release, when the devices were going to leave everyone's furniture everywhere pockmarked with white rings. It was the End of Times again, until it wasn't.
Is this a serious issue? Sure. But unlike the open microphones and cameras on Android and Amazon devices that are actively gathering and selling data, this issue already has a stopgap fix and will likely have a permanent fix in the very near future. It's not o.k. because those devices are worse, but these things don't happen in a vacuum, and I dispute your "developing trend" notion, beyond the statistics inherent in having an increasingly large number of devices in circulation.
But this has nothing to do with the number of devices sold - perhaps something like iPads bending due to the manufacturing, you could say when a certain number are sold, some will be faulty - this is a universal software problem that effects 100% of their devices; this has nothing to do with volumes, and everything to do with management. Your suggestion that people 'misusing' their devices? That's the tech equivalent of victim blaming.
Victim blaming? Don’t be ridiculous. The person who carries out this exploit is not a victim. To accomplish this exploit, person 1 places a FaceTime call to person 2, and then adds their own number as an additional call before person 2 picks up. That is misusing the system. There are no instructions that say to do that, and there were probably no software engineers to whom it occurred that somebody might ever do that. It is impossible to think of and completely idiot-proof everything. Initially it’s at least remotely possible it could be an unintentional misuse (e.g., a mistake), but everyone who tried it after it went out on social media was blatantly misusing the system. Person 2 may be a victim, but person 1 clearly is not. (Certainly in the case of errors being found by hackers actively looking for them, the hackers are not victims.)
Also, it absolutely has everything to do with the number of devices sold. Even when 100% of the devices contain the erroneous code, if it takes a low probability error to exploit the erroneous code, you have to have a lot of devices in circulation before the problem will turn up.
Think of it this way. There could be code in iOS that would brick the phone if someone uses the phone keypad to enter a specific 25-digit number. A hundred percent of iPhones could carry that code, but you’d have to have a lot of devices in circulation with a lot of users punching in a lot of numbers before anyone would ever inadvertently enter the 25-digit number that bricks the phone.
There are likely millions of users who have placed tens or hundreds of FaceTime calls each since the group feature came out, presumably with the error built in. Eventually, at least one person found the error about a week ago. Meanwhile, millions of others placed a whole lot of FaceTime calls without ever stumbling into it. At least before it was publicized, even though 100% of millions of devices carried the vulnerability, it was clearly a very low probability user action required to find the error. It absolutely has everything to do with the number of devices sold.
I don't understand the explanation of activating the exploit. "activate the glitch by calling another FaceTime user and manually adding the originating number to the call as a third party." What does that mean? What is an "originating number"?
This has to do the with Group FaceTime feature, meaning the feature where you, your sister, your cousin and your grandma can all talk to each other on FaceTime at the same time.
The ‘exploit’ would happen if you started by calling your sister using FaceTime, and then before she picks up, you try to add a second person, but punch in your own number instead (And it reads like you have to type in your phone number, not click on your name in contacts. Who would even do that?). Supposedly the result would be that you could then hear your sister saying “oh, crap, I don’t have time for this” before she accepted the call and acted like she was glad to hear from you. Or alternatively if she chose not to answer, in some cases you could keep on listening in.
Not to diminish the significance of the problem, but anyone who would’ve wanted to use this exploit to spy on someone would have to risk speaking to and being identified by the proposed victim. Seems like a pretty limited use case for malicious activity.
Comments
Is this a serious issue? Sure. But unlike the open microphones and cameras on Android and Amazon devices that are actively gathering and selling data, this issue already has a stopgap fix and will likely have a permanent fix in the very near future. It's not o.k. because those devices are worse, but these things don't happen in a vacuum, and I dispute your "developing trend" notion, beyond the statistics inherent in having an increasingly large number of devices in circulation.
And yes, the mic and camera subsystems should have been sandboxed and not accessible without user action. Hey Siri is not an exception, it is processed locally, as I'm sure you know.
"activate the glitch by calling another FaceTime user and manually adding the originating number to the call as a third party."
What does that mean? What is an "originating number"?
Adding yourself to a Group FaceTime chat that you're already in is literally misusing it — and likely why it was picked up in testing.
That's not what he explicitly said, though, and nor is it what it says on the homepage of this site.
The phone number of the device you're initiating the Group FaceTime chat from, and adding that as an additional participant which of course would be redundant.
Also, it absolutely has everything to do with the number of devices sold. Even when 100% of the devices contain the erroneous code, if it takes a low probability error to exploit the erroneous code, you have to have a lot of devices in circulation before the problem will turn up.
Think of it this way. There could be code in iOS that would brick the phone if someone uses the phone keypad to enter a specific 25-digit number. A hundred percent of iPhones could carry that code, but you’d have to have a lot of devices in circulation with a lot of users punching in a lot of numbers before anyone would ever inadvertently enter the 25-digit number that bricks the phone.
There are likely millions of users who have placed tens or hundreds of FaceTime calls each since the group feature came out, presumably with the error built in. Eventually, at least one person found the error about a week ago. Meanwhile, millions of others placed a whole lot of FaceTime calls without ever stumbling into it. At least before it was publicized, even though 100% of millions of devices carried the vulnerability, it was clearly a very low probability user action required to find the error. It absolutely has everything to do with the number of devices sold.
The ‘exploit’ would happen if you started by calling your sister using FaceTime, and then before she picks up, you try to add a second person, but punch in your own number instead (And it reads like you have to type in your phone number, not click on your name in contacts. Who would even do that?). Supposedly the result would be that you could then hear your sister saying “oh, crap, I don’t have time for this” before she accepted the call and acted like she was glad to hear from you. Or alternatively if she chose not to answer, in some cases you could keep on listening in.
Not to diminish the significance of the problem, but anyone who would’ve wanted to use this exploit to spy on someone would have to risk speaking to and being identified by the proposed victim. Seems like a pretty limited use case for malicious activity.