Apple disables Walkie-Talkie app due to iPhone snooping threat
Apple late Wednesday said it disabled the Walkie-Talkie app on Apple Watch after being alerted to a vulnerability that allows a user to surreptitiously listen in on another iPhone's audio.
In a statement issued to TechCrunch, Apple said it was made aware of the bug through its product security reporting service, which allows developers, researchers and others to flag security and privacy issues via email.
Apple did not specify how the Walkie-Talkie flaw works, but in a statement said the bug "could allow someone to listen through another customer's iPhone without consent." A more detailed rundown might be provided in release notes accompanying a consequent watchOS security update. Whatever the case, the vulnerability is apparently serious enough to prompt Apple to deactivate a major platform feature.
The company told TechCrunch that while the bug has not been spotted in the wild, it has decided to temporarily disable Walkie-Talkie until a fix is in place. Apple will keep the Walkie-Talkie app on user devices as a patch is developed and deployed, suggesting the vulnerability at least partially impacts server-side assets.
Apple's decision to disable Walkie-Talkie is reminiscent of its handling of the Group FaceTime fiasco earlier this year.
In January, teenager Grant Thompson discovered a particularly insidious bug that allowed any iPhone owner to eavesdrop on another user simply by adding that person's number to a Group FaceTime call. The vulnerability granted access to a target device's microphone without user intervention.
As word of the FaceTime exploit spread, Apple was forced to disable the feature until a fix was rolled in an update issued about a week later.
Thompson, whose mother attempted to inform Apple of the bug multiple times a week before it went viral, was ultimately paid a bug bounty and scholarship for finding the flaw.
Apple has not provided an estimated timeline of completion for the Walkie-Talkie fix.
In a statement issued to TechCrunch, Apple said it was made aware of the bug through its product security reporting service, which allows developers, researchers and others to flag security and privacy issues via email.
Apple did not specify how the Walkie-Talkie flaw works, but in a statement said the bug "could allow someone to listen through another customer's iPhone without consent." A more detailed rundown might be provided in release notes accompanying a consequent watchOS security update. Whatever the case, the vulnerability is apparently serious enough to prompt Apple to deactivate a major platform feature.
The company told TechCrunch that while the bug has not been spotted in the wild, it has decided to temporarily disable Walkie-Talkie until a fix is in place. Apple will keep the Walkie-Talkie app on user devices as a patch is developed and deployed, suggesting the vulnerability at least partially impacts server-side assets.
Walkie-Talkie was introduced last year as a tentpole feature of watchOS 5. A modern take on push-to-talk communication methods popularized by two-way radios -- and later transformed into a cellular service option by Nextel and other handset makers -- Walkie-Talkie enables Apple Watch users the ability to send ephemeral audio messages to one another through the cloud.We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer's iPhone without consent. We apologize again for this issue and the inconvenience.
Apple's decision to disable Walkie-Talkie is reminiscent of its handling of the Group FaceTime fiasco earlier this year.
In January, teenager Grant Thompson discovered a particularly insidious bug that allowed any iPhone owner to eavesdrop on another user simply by adding that person's number to a Group FaceTime call. The vulnerability granted access to a target device's microphone without user intervention.
As word of the FaceTime exploit spread, Apple was forced to disable the feature until a fix was rolled in an update issued about a week later.
Thompson, whose mother attempted to inform Apple of the bug multiple times a week before it went viral, was ultimately paid a bug bounty and scholarship for finding the flaw.
Apple has not provided an estimated timeline of completion for the Walkie-Talkie fix.
Comments
Also, this issue with Walkie-Talkie has nothing to do with governments of any kind. This is Apple disabling their own 1st party app until they patch it. Now you can complain that the vulnerability shouldn't have been there. Fair enough. It's software though. There are always going to be bugs. It's the nature of the beast. If the same software is continually buggy, say Flash, then complain like there's no tomorrow.
Apple certainly has the ability to disable apps, that's been known for a long time. Apple has also removed apps from local app stores based on government requests. Whether they'd abide by a lawful government order to use the killswitch to remove apps from their customer's phones has not yet been tested, to my knowledge.
So (encrypted) point to communication via its radio chips (transmit and receive); would also be nice to have for an iPhone.
Might be very useful when out of network range, also handy to find dogs etc.
I am getting really tired of this ridiculous overreaction to meaningless "vulnerabilities" (a term completely coopted and used to describe things that are nothing of the sort). We're now a week without one of the advertised features of the device.