Has your one-on-one FaceTime call ended? Are you sure?
Recently disclosed computer bugs affecting Apple software allow snoops to eavesdrop on people’s FaceTime conversations. The company revealed the security holes as part of bundles of patches included in its latest software updates for Mac and iPhone devices.
Apple released few details about the bugs, saying only that “An attacker in a privileged network position may be able to cause a relayed call to continue transmitting audio while appearing as if the call terminated.” In other words, man-in-the-middle attackers, as digital interlopers are known, can continue to listen in on a call, even when a victim believes that call has ended.
To put it plainly: You may think you’ve hung up, but snoops remain on the line. (Best to avoid connecting to untrusted or public Wi-Fi networks, in this case.)
“User interface inconsistencies existed in the handling of relayed calls,” Apple wrote, rather opaquely, on its software security page.
Martin Vigo, a security engineer at Salesforce, was credited with reporting the issues to Apple. The bugs are classified as CVE-2016-4635, an identifier in the “common vulnerabilities and exposures” database, the standard taxonomy for software flaws.
Vigo, who earlier did research on the password manager LastPass, said Monday in a post on Twitter TWTR 1.15% that “other related vulns” (short for “vulnerabilities”) in Apple’s FaceTime still needed fixing. More information about the issues likely won’t come to light until Apple has addressed them.
Earlier this year a Texas company won $625 million from Apple for infringing on patents related to the technology behind FaceTime. Last week, Recep Tayyip Erdoğan, Turkey’s democratically elected president, used FaceTime to deliver a message to his country during an ultimately failed military coup.
As always, Apple users are advised to download the updates—OS X El Capitan v.10.11.6 and iOS 9.3.3, to be exact—as soon as possible to protect against attacks exploiting the described flaws. Until more is known though, it might be wise to keep sensitive chatter to another channel.