Apple has a reputation for being careful about its users’ privacy, at least relative to other internet giants. The company has even been using that as a selling point to differentiate itself from various scandal-plagued rivals. But when Apple fouls up, sometimes it really fouls up. And the trust its users place in its products can magnify the impact of its errors.
Case in point: A glaring bug that went public Monday night allowed people to listen in for a short time via your phone or laptop’s microphone by calling you on FaceTime, even if you didn’t answer. They could do this by making it a three-way call, then adding their own number as the third party, before you picked up. Scarier still, BuzzFeed found that if you pressed the volume down button on your iPhone to make the phone stop ringing, it activated your front-facing camera and they could watch video of you as well.
Apple temporarily closed the loophole by disabling group FaceTime calls altogether. (You can still use FaceTime one-to-one.) The company said it’s working on a more specific fix to the problem, which will come as part of a software update later this week.
NBC News reports that the bug was found by a 14-year-old Fortnite player on Jan. 19, but that he and his mother struggled to bring it to Apple’s attention.
It isn’t clear to what extent the bug was actually exploited by hackers to spy on people. One mitigating factor is that they couldn’t spy on you without actually calling you on FaceTime, and could only do so for the short time that the phone was ringing before you either answered or it timed out. So if you don’t have missed FaceTime calls from unknown numbers, you probably weren’t affected. Still, it’s troubling that the bug remained exploitable for more than a week after it was reported, and several hours after it began making headlines, before Apple issued its blunt fix.
What is clear, now more than ever, is that the cameras and microphones on your devices can be used against you.
Thanks in part to Apple, most of us have come to accept a world in which we keep these types of sensors in our homes (on our laptops and smart speakers) and carry them around with us everywhere (on our phones). We tend to assume there’s no one on the other end listening or watching unless we’re actively using them to communicate, and surely most of the time that’s true.
But there’s a reason why tech-savvy people put tape over their laptop cameras and sometimes microphones (including, famously, Mark Zuckerberg), and this is a good illustration of it. It isn’t necessarily that companies such as Apple, Google, Facebook, and Amazon don’t care about protecting their users’ privacy, although that can seem like the case at times. It’s that they’ve all grown so big, and have so many different pieces of software with so many types of access to your devices, that lapses like this would be inevitable even if they really did care.
A corollary to this point is that while you may “trust” some big tech companies (say, Apple) more than others (say, Facebook), security bugs happen to everyone. Products made by companies with a track record of lax attitudes toward user security should absolutely be treated with caution. But products made by companies with a strong record on security can betray you, too. The more intimate access you grant a product, the greater that risk. Your smartphone is a security vulnerability that you carry around in your purse or pocket all day.
Apple’s savvy marketing around privacy, as well as some high-profile stands such as its refusal to help the FBI unlock a mass shooting suspect’s iPhone, also shouldn’t obscure the company’s history of occasionally disastrous security flaws. An infamous 2017 bug allowed pretty much anyone to log into a Mac running High Sierra just by typing “root” as the username. And while this wasn’t an Apple security breach, per se, hackers used phishing attacks to gain access to numerous celebrities’ iCloud accounts, posting nude photos of them online.
Responding to the FaceTime bug in the Atlantic, Ian Bogost writes that “tech paranoiacs have been totally vindicated.” That’s basically true, at least from a theoretical standpoint. In practice (as Bogost acknowledges), we aren’t all going to ditch our phones or turn off the Internet. But if you haven’t put tape over your laptop’s camera; if you don’t mute your smart speaker when you aren’t using it; if you don’t turn off your phone’s GPS when you’re at home…. now would be a fine time to start doing those sorts of things.