Apple Apologizes for FaceTime Bug, Sets Fix for Next Week

Apple has issued a formal statement to several publications apologizing for the major FaceTime privacy bug that could allow the Group FaceTime feature to eavesdrop on audio and video from other users’ devices.

In the statement, the company apologizes to all customers who were affected directly or indirectly by the issue, and specifically thanks the Thompson family that had originally reported the bug.

Apple also emphasizes that it considers the bug fixed as a result of shutting down Group FaceTime earlier this week, although even in the face of such a serious problem, it offers no explanation as to why it took over a week after the issue was discovered and reported to actually take action.

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process. 

Statement by Apple

Despite the Thompson family — who Apple now fully credits with finding and reporting the bug — notifying Apple on Jan. 20, it wasn’t until the bug became public knowledge on Jan. 27 and the New York Governor’s office issued an alert that Apple took action by disabling Group FaceTime.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

Statement by Apple

Reading between the lines of Apple’s statement, however, it sounds like the delay was most likely the result of the bureaucratic processes and inertia that plague many large organizations. While there’s no reason to believe that Apple engineers would have delayed addressing the issue, it’s likely that the bug report took longer than it should have to get to the actual engineers who needed to deal with it. Apple notes that it will be focusing on improving these processes, although the company typically provides no specific details on how that process works, beyond implying that in this case, it didn’t work the way it should have.

While Apple originally promised that a software update would appear by the end of this week, today’s statement also suggests that its release has been delayed into next week. However, since Apple has rendered the privacy flaw inert by disabling Group FaceTime on its servers, the main need for the software update is simply to be able to safely reactivate Group FaceTime for its users.

According to analytics from MacRumors, Apple appears to already have iOS 12.1.4 in testing, with traffic to that site showing its first appearance on Jan. 29, the day after the Group FaceTime bug became public, so it appears that Apple is actively working on the update, but the company also has more at stake than usual in making sure that it gets this one right before pushing it out to users and re-enabling Group FaceTime.

It’s also unclear at this point exactly how Group FaceTime compatibility will work going forward. Due to the high profile nature of this issue, it seems likely that Apple may choose to block Group FaceTime from all devices that haven’t updated to iOS 12.1.4, requiring users to apply the update in order to use the feature. This seems even more likely since Group FaceTime was only introduced in iOS 12.1 last fall, making iOS 12.1.4 a very minor maintenance update that Apple likely feels all users should be applying anyway.

The serious privacy implications of this bug has made it a much higher profile issue for Apple than most software problems. At least one lawyer has already filed a lawsuit claiming it was exploited to listen to a private deposition, the New York Governor’s and Attorney General’s Offices are investigating whether Apple has breached consumer protection laws in that state, and at least some U.S. Senators have been speaking out about privacy protections in light of such security flaws, and now a Montreal law firm has applied for a class-action lawsuit against Apple, in what is likely to be the first of many such cases.