There’s a bug in the Apple iPhone in which, during the establishment of a FaceTime session, the caller can activate the receiver’s microphone and camera, without the receiving user knowing. It turns the iPhone at the far end into a old-fashioned bug. Apple will fix this bug quickly, but let’s take time to ask how is such a fault possible, and what does it mean for operating system integrity? 

When Alice’s iPhone A tries to connect to Bob’s iPhone B, it appears that iOS allows a software process running on A to access the microphone and camera services on B, without asking Bob’s permission or even letting him know it’s happening.  Contrast this permissionlessness with the normal Windows experience where PC users are asked constantly to give permission for processes to access their machine.  

As a former real-time systems software engineer, this feels to me like the multi-tasking features of iOS are allowed to run amok.  

Why would one iPhone allow a process running on another iPhone to access the mic & camera without the user's permission? How is that even possible? 

You have to wonder what else can happen, if processes on one iPhone can gain privileged access to another.  Can A load malware onto B? Can A capture the keyboard strokes on B and thus intercept Bob’s PINs and passwords? Can Alice insert herself into the data flows between the camera and the face recognition process on B, to spoof Bob’s biometric? 

Developers and tech company managers love to claim the slogan "Privacy by Design" but if programmers are designing operating systems without any partitioning or permissions, then PbD is just lip service. What are they thinking?

Business Research Themes

Digital Safety & Privacy

Roles

Chief Information Security Officer, Chief Privacy Officer

Tags

facetime bug PbD iOS security