Executive Editor, MacworldJAN 29, 2019 12:19 am PST
Image: Mark Hachman/IDG
In the span of about an hour last night, things went from bad to worse for Apple. What started with the report of a seemingly unbelievable bug ended with the disabling of one of the premium features of iOS 12 as Apple scrambled to save face and prevent an epic privacy snafu.
Here’s what happened: After a tip,
a weird FaceTime bug that let callers eavesdrop on the people they were calling, whether or not the person on the other end picked up or was even aware a call was coming in. The process isn’t exactly easy, involving adding your own number to a Group FaceTime call after dialing, but it’s not something out of the realm of inadvertently implementing it either.
Plus, once it was out there, well, it was almost certain to be abused.
At first, Apple merely said they were aware of the bug and would be issuing a fix this week. Being that it was only Monday, that could be as many as five days, an eternity when a nasty bug is out in the wild. About a half hour later, Apple did the right thing: They disabled Group FaceTime via its servers so someone couldn’t try out the bug even if they wanted to. There’s not even a need to disable FaceTime (though I wouldn’t blame you if you still wanted to).
That’s the right thing to do. Coming on the heels of a utter refusal to admit that any range of
bent iPads are unacceptable, Apple handled the FaceTime bug quickly and efficiently, and fully mitigated any embarrassing stories (other than the bug itself, of course). After all, updates are generally slow to promulgate, so waiting for 12.1.4 to land and then hoping people actually install it could take weeks, leaving a very serious bug on potentially millions of phones, iPads, and Macs.
Privacy and PR
So, let’s give Apple credit where it’s due. It shut down the root of the problem almost immediately and protected its users against nefarious activity. It took its lumps in the press, didn’t make excuses, and sacrificed an important feature in the process. It didn’t try to explain it away or offer a workaround. On the surface, it seems that Apple is putting the safety and security of its users ahead of its products.
But the question remains: How did it happen in the first place? Group FaceTime was delayed from the initial iOS 12 launch, so it’s not like Apple rushed things. And while it’s not an easy bug to duplicate, it’s also not a particularly intricate one, so Apple’s engineers should have spotted it before it released or at some point over the past three months since it’s been live.
It’s something of a trend at Apple that should have gone out of style by now. Last year, Apple dealt with so many
high-profile iOS 11 and macOS High Sierra bugs that it promised it was “auditing our development processes to help prevent this from happening again.” A year later, it seems as though Apple hasn’t actually learned anything from its mistakes.
And what’s worse, Apple seems to have been alerted to this bug before it had a chance to spread around the interwebs. Mark Gurman of Bloomberg spotted a
tweet posted on Jan. 20 by Twitter user MGT7 that describes this exact bug. The Arizona-based user tagged Apple Support in the tweet and said they submitted a bug report, so it’s likely someone at Apple saw it. And if they didn’t, why aren’t they taking every privacy complaint seriously, even if it’s from a faceless Twitter user?
So why didn’t Apple take action then? Or at least sooner than last night? Even if they didn’t take the report seriously, someone could have at least tried to replicate it. Had someone done so, it would have set off immediate alarm bells and Apple could have taken the appropriate action before it became headline news. Apple is supposed to have
a team dedicated to handling privacy and security issues, yet nothing was done until it reached a fever pitch. I mean, this isn’t an autocorrect bug or a crashing message. It’s a serious flaw with massive privacy implications that could have had catastrophic results.
The reality is Apple is the richest company in the world and privacy is primarily a PR move. While I believe that privacy does matter to Tim Cook and Apple, I also think the company’s profits and PR matter more, and assuming Apple knew about the bug before last night, it was hoping to skate by without needing to publicly disclose the FaceTime bug. And it may have been knowingly putting its customers at risk for weeks, if not months.
The irony of all this is that the bug was discovered on Data Privacy Day, which was marked with
a tweet by CEO Tim Cook saying “The dangers are real and the consequences are too important.” It’s hard to argue with those words, especially when it’s your own iPhone that poses the danger.
Michael Simon has been covering Apple since the iPod was the iWalk. His obsession with technology goes back to his first PC—the IBM Thinkpad with the lift-up keyboard for swapping out the drive. He's still waiting for that to come back in style tbh.