Apple immediately disabled its Walkie Talkie app for its Apple Watch when it discovered a vulnerability that allows a user to listen in to another user’s iPhone.
The function of the Walkie Talkie app on the Apple Watch is for users to receive audio chats without having to call one another. It is routed through the FaceTime audio and uses a “push-to-talk” interface. The feature was introduced in Apple’s watchOS5.
Apple sent a statement to TechCrunch on Thursday to discuss the vulnerability. It reads: “We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible.”
Apple did not disclose how the vulnerability has affected the Walkie Talkie function. Speculating on Apple’s statement, the breach could possibly be that when two users are connected to the Walkie Talkie chat, any FaceTime calls in can be accessed by one or the other, even if it’s not meant for either one of them.
The tech giant made quick actions to reiterate to users that privacy is one of its top priorities. Apple also wanted to ensure its user’s data security is not breached. They reported that there were no signs of the actual breach when they first learned about the vulnerability.
Apple wrote: “Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.”
The company learned about the bug through a report from their “Report a security or privacy vulnerability” portal. Once Apple receives a report, it does an investigation. Only when the investigation is done, and necessary updates are ready will the company disclose it to the general public.
The feature is still installed on the Apple Watches. However, until Apple has fixed the bug, users won’t be able to use it.
Recent security issues with Apple products
This is not the first time, this year, that Apple has disabled a feature due to possible security and privacy issues.
Last January, Apple also disabled its Group FaceTime function in both its iOS and macOS, following reports of a privacy vulnerability.
A user reported that a bug in the FaceTime video calling feature lets anyone listen in to anyone before the recipient picks it up. The mix-up is that FaceTime is tricked into thinking that a group call is already on-going. If a group call is on-going, FaceTime activates the phone or laptop’s microphone. The caller can listen in to anyone’s conversation even without the recipient answering the call.
Another tricky part of the bug is that if the recipient presses the volume down button or the power button to dismiss the call, the phone’s camera turns on and the caller can spy through it.
The bug was running on iOS 12.1.2 and was fixed in iOS 12.1.4 in February.
Similar to the Apple Watch Walkie Talkie bug, the Group FaceTime bug was reported through the portal. Grant Thompson, a 14-year-old student, reported the bug early in January before Apple took actions about it in towards the end of the month.
Thompson enlisted the help of his mother so that he could report the bug. Mrs. Thompson sent several emails to Apple but did not get a response immediately.
Because of Thompson’s efforts in reporting the bug, Apple has credited him for it in official updates and press releases. The company also gave reward money through Apple’s bug bounty program.
Mrs. Thompson told CNBC that a high-level Apple executive met with Grant in their hometown in Tucson, Arizona. The executive thanked the Thompsons and informed them of the bug bounty reward. The Apple executive also asked for feedback on how to improve their vulnerability reporting process.
Thompson’s reward will be saved to secure his college funding. The whole experience also encouraged the young man to continue pursuing his interest in technology. “If he got some kind of bug bounty for what he found, we’d certainly put it to good use for his college because I think he’s going to go far, hopefully. This is actually a field he was interested in before and even more so now,” Mrs. Thompson said.
The teen discovered the bug while discussing strategy for the game Fortnite with his friends via the FaceTime group call.
Since this incident, Apple has improved its response time when it comes to investigation and responding to vulnerability reports.