The bug made it easy for members to be added to a group call before they actually picked up
You might have missed the news about a FaceTime bug that was found about a year ago. The bug enabled anyone to start a group FaceTime call with one of your contacts, even if that person didn’t explicitly accept the call.
Apple disabled group FaceTime calls for a couple of days until it was able to issue a patch in iOS 12.1.4. Since then, Google security researchers have been busy finding the same bug in other group chat apps including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
The bug has another noteworthy element besides its wide-ranging attack surface: how it was first uncovered. That was thanks to a Grant Thompson, a 14-year-old high school student attending school in Tucson, Arizona, at the time. Leading up to the bug's discovery, Grant had been playing a game of Fortnite with his friends via FaceTime. As he set up a group FaceTime call with his friends, he noticed something odd — he could hear one of them speaking before he ever answered the phone. When Thompson then reported the bug, he was initially ignored by Apple, who then eventually awarded him a bug bounty only after his mother doggedly pursued credit and applied through its developer program.
Let’s talk about the details about the bug's actual mechanics. To get into these details, I should first describe the WebRTC protocol, which is the open standard that adds real-time communication capabilities to your app. It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions.
The key word above is peer, which is both an opportunity (it allows you to have one-to-one and group chats) and an issue. Because any web connection isn’t stateful, you need some other way to maintain the state among the chatting endpoints — this involves setting up the calls using another protocol called Session Description Protocol (SDP). This peer-to-peer process is called signaling, and as I said, this isn’t implemented by WebRTC.
In the year since the original FaceTime bug, security researcher Natalie Silvanovich of Google’s Project Zero has been tracking this problem and has recently posted the details of her research. She found that the way SDP signaling was implemented by the applications made it easy for the receiving party of a group call to be added before actually picking up the call (or doing anything at all on their end). She also found that both Telegram and Viber don’t have this issue because of the way they structure their calls.
Silvanovich suggests developer awareness. “It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device,” she says. Silvanovich admits that the exploit wasn’t something that she had come across previously. Hopefully, that will change now that her research has come to light.
Here's where things stand with this exploit: thankfully, the developers have been working on fixes. All of the apps mentioned at the top of this post have been fixed over the past year, and if you haven’t updated them recently, you should do so now. Ironically, the last app to have this bug quashed was Google Duo, which was updated about a year ago.
The process of finding this bug shows that security lapses can happen anywhere, and be found by anyone — including a teenage gamer.