A teenager from Arizona uncovered a bug that turns iPhones into eavesdropping devices while trying to play a game of ‘Fornite‘ with his friends.
Grant Thompson, a 14-year-old high school student in Tucson, wanted to chat with friends when he discovered a major bug in Apple’s popular Group FaceTime feature.
Thompson called his friend Nathan using FaceTime, but Nathan didn’t pick up on January 19.
Thompson then swiped up and added another friend, a move that instantly connected him with Nathan, whose phone was still ringing.
Michele Thompson (pictured) said her son told her he had discovered a bug in Apple’s ‘Group FaceTime’ feature that allows callers hear and see those they are reaching out to on iPhones
The youngster had discovered a bug that allowed him to force other iPhones to answer a FaceTime call, even if the other person doesn’t take any action.
Apple has since disabled the ‘Group FaceTime’ feature, and a software update to fix the bug is expected to be released.
The bug is triggered when callers add themselves to the same call to launch a group chat. That makes FaceTime think the receiver had accepted the chat.
It lets people hear and even see those they are reaching out to on iPhones using the video calling software, sparking privacy fears.
Michele Thompson said she spent days trying to alert the tech giant to the glitch before it announced it was disabling the feature on Tuesday
Thompson said that she hoped her son might be able to claim a bounty for discovering the bug
Grant’s mother Michele, a lawyer, said she had tried repeatedly to contact Apple about the privacy glitch between her son discovering it and announcing that it was disabling the feature on Tuesday.
Thompson said she tried everything she could think of to get Apple’s attention. She emailed, called Apple and tweeted CEO Tim Cook and even faxed a letter on her law firm’s letterhead.
‘It was very frustrating getting them to respond. I get it. I’m sure they get all sorts of kooks that try to report things to them,’ she told CNN Business.
A freshman in high school, Grant told CNN Business he’s ‘pretty into technology and stuff’ and thinks it would be cool if Apple acknowledged his find.
The glitch affects devices using versions iOS 12.1 or later. Apple has taken its Group FaceTime feature offline following the discovery of the bug (file photo)
‘We tested a few more times and found out we could get people to force answer FaceTime calls,’ Grant told CNN Business.
‘After we confirmed that it worked, I went and told my mom.’
Apple has a bug bounty program that offers financial rewards for some discoveries.
The program, launched in 2016, pays up to $200,000 for detecting bugs, but some third-party companies will offer more.
Thompson said that she hoped her son might be able to claim a bounty for the bug but that the process required technical knowledge she didn’t have.
Although she said they didn’t report the issue for a reward, she believes Apple should acknowledge her son.
‘Apple should reward people for reporting things of this nature, not just reward the developers or the people who are savvy with tech,’ said Thompson. ‘I think just thanking him would be great,’ she said.
The bug, demonstrated through videos online , comes as an embarrassment for a company that is trying to distinguish itself by stressing its commitment to users’ privacy.
‘This is a big hit to their brand,’ said Dave Kennedy, CEO of Ohio-based security firm TrustedSec. “
‘There’s been a long period of time people could have used that to eavesdrop. These things definitely should be caught prior to ever being released.’
The glitch emerged publicly on Data Privacy Day, which Apple chief executive Tim Cook (pictured) had tweeted about and called for ‘vital privacy protections’
There is no longer a danger from this particular bug as Apple disabled group chats, while regular, one-on-one FaceTime remains available.
It’s hard to know if anyone exploited the bug maliciously, said Erka Koivunen, chief information security officer for Finnish company F-Secure.
He said it would have been hard to use the bug to spy on someone, as the phone would ring first – and it’s easy to identify who called.
Apple said Tuesday that a fix will come in a software update later this week. Apple declined to say when it learned about the problem.
The company also wouldn’t say if it has logs that could show if anyone took advantage of the bug before it became publicly known this week.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation said the 14-year-old’s discovery of the problem ‘just tells us a lot about reporting security bugs depends on knowing the right person.’
Galperin said Apple should develop a better process for fielding reports about potential security flaws.