Published Date: 2019-01-28
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident with Apple's FaceTime occurred in January 2019 [Article 79870, Article 79914, Article 80253, Article 80454, Article 87397, Article 80237, Article 79859, Article 79949, Article 80254, Article 80334, Article 80091]. |
| System | 1. Group FaceTime feature on Apple's FaceTime application [79870, 79914, 80253, 80252, 80328] 2. Walkie-Talkie app on Apple Watch [87397] |
| Responsible Organization | 1. Apple [79870, 79914, 80253, 87397, 80237, 80091] 2. New York Attorney General Letitia James [79940] |
| Impacted Organization | 1. Apple [79870, 79914, 80253, 87397, 80237, 79859, 79949, 80254, 80328, 80091] 2. New York Attorney General's office [79940] 3. New Yorkers [79940] |
| Software Causes | 1. A bug in Apple's FaceTime software allowed users to listen in on the people they were calling and even see through their front-facing camera without them answering the call. This bug was triggered when the initial caller added a third person to a Group FaceTime call [#80252]. 2. The bug in FaceTime allowed an iPhone user to call another iPhone user and listen in on their conversations through the device's microphone, even if the recipient did not answer the call. This bug was a result of a glitch in the FaceTime app [#80091]. 3. The FaceTime bug allowed a caller to listen in on the recipient's microphone and even access a live video feed of the recipient's front-facing camera. This was achieved by adding oneself to the call when the phone was ringing [#80083]. |
| Non-software Causes | 1. Lack of immediate response from Apple to reports of the bug despite being notified by users and the media [#80091, #79940]. 2. Delay in addressing the bug even after being made aware of it, leading to potential privacy breaches [#80091, #79940]. 3. Failure to warn consumers about the security flaw promptly, raising concerns about user privacy and safety [#79940]. 4. Inadequate communication and response mechanisms for users reporting vulnerabilities, leading to frustration and delays in addressing the issue [#80254, #80091]. 5. The bug was discovered by a 14-year-old user, highlighting potential gaps in Apple's internal testing and quality assurance processes [#80091]. |
| Impacts | 1. The FaceTime bug allowed users to listen in on the people they were calling and even see through their front-facing camera without the call being answered, leading to a significant breach of privacy [#80252, #80091]. 2. The bug prompted Apple to disable the Group FaceTime feature and issue a statement acknowledging the issue, promising a fix in a software update later that week [#80252, #80091]. 3. The bug raised concerns about Apple's commitment to security and privacy, especially as the company had positioned itself as a protector of user privacy [#80091]. 4. The bug led to an investigation by the New York Attorney General's office over Apple's failure to warn consumers about the security flaw and address the issue promptly [#79940]. 5. The bug discovery by a 14-year-old in Arizona highlighted the ease with which the exploit could be triggered, causing Apple to take aggressive steps by shutting down Group FaceTime chats altogether [#80083]. 6. The bug incident underscored the importance of promptly addressing software vulnerabilities and the need for rigorous vetting of new software features to prevent security breaches [#80083]. |
| Preventions | 1. Timely response and action by Apple upon receiving the initial report of the bug from the 14-year-old in Arizona and his mother could have prevented the software failure incident [Article 80091]. 2. Improved communication channels and responsiveness from Apple's customer support and security teams to address reported vulnerabilities promptly [Article 80091]. 3. More rigorous vetting and testing of new software features, such as Group FaceTime, to catch potential security flaws before they are released to the public [Article 80083]. 4. Enhanced bug bounty program incentives and clearer reporting channels for non-developers to report security vulnerabilities to Apple [Article 80254]. 5. Better coordination and communication within Apple's security and product teams to ensure swift identification and resolution of critical software bugs [Article 80091]. |
| Fixes | 1. Apple identified a fix for the FaceTime bug and planned to release it in a software update later that week [79870, 79914, 80252]. 2. Apple disabled Group FaceTime, the feature causing the glitch, to prevent further exploitation of the bug [79870, 79914, 80252]. 3. Users were advised to disable FaceTime on their devices until the software update was released [80237, 80328, 80091]. 4. Apple took the additional step of shutting down group FaceTime chats altogether as a temporary measure [80083]. 5. New York Attorney General initiated a formal investigation into Apple's response to the FaceTime bug [79940]. | References | 1. 9to5Mac [79870, 80091] 2. The Guardian [79870] 3. Reuters [79870] 4. CNN Business [80253, 80254, 87397, 80237, 80253, 80328] 5. New York Post [79914, 79940] 6. Getty Images [80253, 80454] 7. AFP [80253] 8. Dave Lee [80454] 9. Brian Skoloff [80254] 10. Letitia James [79940] 11. Andrew M. Cuomo [79940] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - Apple faced a software failure incident related to its FaceTime app, where a bug allowed users to eavesdrop on others before they answered the call [Article 80083]. - The bug was discovered by a 14-year-old in Arizona, who found the eavesdropping capability while setting up a chat for a game of Fortnite [Article 80083]. - Apple took the step of disabling Group FaceTime chats and planned to release a fix in a software update later in the week [Article 80083]. (b) The software failure incident having happened again at multiple_organization: - The incident involved a bug in Apple's FaceTime app, allowing users to listen in on others before they answered the call, which raised concerns about privacy and security [Article 80083]. - The bug was discovered by a 14-year-old in Arizona, who reported it to Apple but received no response for over a week [Article 80083]. - Apple disabled Group FaceTime chats and took aggressive steps to address the issue, indicating the severity of the vulnerability [Article 80083]. |
| Phase (Design/Operation) | design, operation | (a) In the software failure incident related to the FaceTime bug, the failure due to the development phase can be attributed to the design of the Group FaceTime feature. The bug allowed an iPhone user to call another iPhone user and listen in on their conversations through the device's microphone, even if the recipient did not answer the call. This flaw was a result of a bug in the FaceTime app for placing video and audio calls over an internet connection, specifically affecting the Group FaceTime feature introduced in iOS 12.1 [Article 80091]. (b) The software failure incident related to the FaceTime bug can also be linked to the operation phase. Users could exploit the bug by starting a normal FaceTime call and quickly adding their own number as a third person in a group chat. If the recipient pressed the power button from their iOS lock screen, the caller could hear audio and see video from the recipient's camera, showcasing how the operation or misuse of the system could lead to privacy breaches [Article 80083]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: - The software failure incident with Apple's FaceTime was due to a bug within the system that allowed users to listen in on calls and even see video before the call was accepted [Article 79870]. - The bug was triggered by adding a third person to a group FaceTime call, leading to the recipient's microphone being accessed even if the call was not accepted [Article 80083]. - Apple disabled Group FaceTime, the feature causing the glitch, to prevent further exploitation of the bug [Article 79940]. (b) outside_system: - The bug was discovered by a 14-year-old in Arizona who found the eavesdropping capability while trying to play Fortnite with friends, indicating an external discovery of the issue [Article 80083]. - New York Attorney General announced a formal investigation into Apple over the FaceTime bug, suggesting external scrutiny and legal implications [Article 79940]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The FaceTime bug allowed an iPhone user to listen in on the recipient's phone before they answered the call, triggered by adding the caller's own number to a group FaceTime call [Article 80091]. - The bug exploited in Apple's FaceTime allowed a caller to access the recipient's microphone and camera without the recipient answering the call, leading to concerns about privacy breaches [Article 80083]. - Apple disabled Group FaceTime due to the bug that allowed eavesdropping, and a fix was identified and set to be released in a software update [Article 80091]. (b) The software failure incident occurring due to human actions: - A 14-year-old in Arizona discovered the FaceTime bug while trying to play Fortnite with friends, leading to his mother's attempts to notify Apple about the security flaw [Article 80091]. - The bug was first reported by a 14-year-old in Arizona who found that he could eavesdrop on his friends during a FaceTime call, triggering concerns about privacy breaches [Article 80083]. - The bug was discovered by a 14-year-old in Arizona who found that he could listen in on his friends through FaceTime, leading to his mother's efforts to notify Apple about the issue [Article 80091]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no information in the provided articles indicating that the software failure incident with Apple's FaceTime was due to contributing factors originating in hardware. (b) The software failure incident occurring due to software: - The software failure incident with Apple's FaceTime was due to a bug in the software that allowed users to listen in on the people they were calling and even see through their front-facing camera without the call being answered. This bug was triggered by adding the caller's own number to a group FaceTime call, allowing access to audio and video before the call was accepted [80091]. - Apple acknowledged the bug and mentioned that a fix would be released in a software update later that week. In the meantime, they disabled Group FaceTime to prevent further exploitation of the bug [80091]. - The bug was discovered by a 14-year-old in Arizona who found that he could eavesdrop on his friends during a FaceTime call. His mother tried to notify Apple about the bug but received no response for over a week [80091]. - The bug was first reported by 9to5Mac and confirmed by CNET, leading to warnings from officials and the New York Attorney General launching a formal investigation into Apple's handling of the FaceTime eavesdropping bug [79940, 80091]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The software failure incident related to the FaceTime bug was non-malicious. The bug allowed users to listen in on the people they were calling and even see through their front-facing camera without the recipients answering the call. Apple identified the bug and planned to release a software update to fix it [Article 80091]. The bug was discovered by a 14-year-old in Arizona who found he could eavesdrop on his friends during a chat for a game of Fortnite. His mother tried to notify Apple about the bug, but there was no response for over a week [Article 80083]. Apple took the step of disabling Group FaceTime chats and planned to release a fix in a software update later in the week [Article 80091]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) poor_decisions: The software failure incident related to the FaceTime bug was due to poor decisions made in the software development process. The bug allowed users to listen in on the people they were calling and even see through their front-facing camera without the call being answered. Apple faced criticism for its slow response to the bug, with reports indicating that a 14-year-old in Arizona discovered the flaw and his mother tried to notify Apple about it without a timely response [Article 80091]. Additionally, the bug was discovered on January 19, but Apple did not disable Group FaceTime until more than a week later, after the issue was reported by a separate developer and went viral [Article 80090]. The bug was considered a serious breach of privacy, prompting New York Attorney General Letitia James to launch a formal investigation into Apple's handling of the FaceTime eavesdropping bug [Article 79940]. The incident led to concerns about Apple's commitment to security and privacy, especially as the company had positioned itself as a protector of user privacy [Article 80091]. Furthermore, the bug allowed a caller to listen in on the recipient's microphone and even access a live video feed of the recipient's camera, showcasing a significant privacy breach that required immediate action [Article 80083]. Apple's decision to disable Group FaceTime and work on a fix later in the week highlighted the severity of the issue and the need for better decision-making in software development processes [Article 80328]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The FaceTime bug that allowed eavesdropping on iPhone users was discovered by a 14-year-old in Arizona who found the vulnerability while setting up a chat for a game of Fortnite [Article 80083]. - The bug was reported to Apple, but the company did not respond promptly to the warnings, leading to concerns about Apple's commitment to security and privacy [Article 80090]. - The bug exploited in FaceTime allowed a caller to listen in on the recipient's microphone and even access the recipient's camera before the call was answered, showcasing a significant breach of privacy [Article 80091]. (b) The software failure incident occurring due to accidental factors: - The FaceTime bug was not intentionally created but was a result of a bug in the software that allowed users to eavesdrop on others without their knowledge [Article 80083]. - Apple acknowledged the bug and mentioned that they had identified a fix that would be released in a software update later in the week, indicating that the issue was not intentional but a result of a software flaw [Article 80091]. |
| Duration | temporary | (a) The software failure incident related to the FaceTime bug was temporary. Apple disabled the Group FaceTime feature to prevent further exploitation of the bug until a software update could be released [79870]. The bug allowed users to listen in on the people they were calling and even see through their front-facing camera without the call being answered [80254]. Apple identified a fix for the issue and planned to release it in a software update later in the week [79940]. The bug was discovered by a 14-year-old in Arizona who found he could eavesdrop on his friends during a FaceTime call [80083]. Apple took the step of shutting down Group FaceTime chats altogether in the interim until the fix was released [80083]. (b) The software failure incident was temporary as Apple took immediate action to disable the Group FaceTime feature and work on a fix [79940]. The bug allowed users to listen in on conversations and even access the camera of the recipient's device before the call was answered [80091]. Apple acknowledged the issue and mentioned that a fix would be released in a software update later in the week [80091]. The bug was discovered by a 14-year-old in Arizona who found he could eavesdrop on his friends during a FaceTime call [80083]. Apple's response to the bug included disabling Group FaceTime chats until the issue was resolved [80083]. |
| Behaviour | crash, omission, timing, value, other | (a) crash: The FaceTime bug allowed a caller to listen in on the recipient's phone and even see video before the call was answered, indicating a crash behavior where the system lost control and allowed unauthorized access to audio and video [79870, 79914, 80253]. (b) omission: The FaceTime bug allowed the caller to hear audio from the recipient's phone even if the call was not answered, indicating an omission in the system's intended function of privacy and call acceptance [79949, 80252, 80091]. (c) timing: The FaceTime bug allowed the caller to access audio and video before the recipient answered the call, indicating a timing issue where the system performed its functions too early, exposing the recipient's privacy [80083]. (d) value: The FaceTime bug allowed the caller to eavesdrop on the recipient's conversations and access their camera, indicating a failure in the system's intended function of maintaining privacy and secure communication, leading to incorrect behavior [79940, 80083]. (e) byzantine: There is no specific mention of the FaceTime bug exhibiting byzantine behavior in the provided articles. (f) other: The FaceTime bug was described as a glitch that allowed users to listen in on calls and see video before the call was answered, indicating a failure in the system's intended function of maintaining privacy and secure communication [79870, 79914, 80253]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (a) death: People lost their lives due to the software failure - There were no reports of people losing their lives due to the software failure incident related to Apple's FaceTime bug. [80083] (b) harm: People were physically harmed due to the software failure - There were no reports of people being physically harmed due to the software failure incident related to Apple's FaceTime bug. [80083] (c) basic: People's access to food or shelter was impacted because of the software failure - There were no reports of people's access to food or shelter being impacted due to the software failure incident related to Apple's FaceTime bug. [80083] (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident related to Apple's FaceTime bug exposed a major privacy/security bug, allowing users to listen in and see video of the person they were calling before they picked up. This raised concerns about privacy and security. [79870, 79914, 80253, 80454, 87397, 80237, 79859, 79949, 80254, 80334, 80091] (e) delay: People had to postpone an activity due to the software failure - There were no reports of people having to postpone an activity due to the software failure incident related to Apple's FaceTime bug. [80083] (f) non-human: Non-human entities were impacted due to the software failure - There were no reports of non-human entities being impacted due to the software failure incident related to Apple's FaceTime bug. [80083] (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident related to Apple's FaceTime bug had real observed consequences, including the ability for users to eavesdrop on others and see video before calls were answered. Apple took steps to disable Group FaceTime and work on a fix. [79870, 79914, 80253, 80454, 87397, 80237, 79859, 79949, 80254, 80328, 80091] (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed included the significant privacy/security implications of the FaceTime bug, the ability for unauthorized access to audio and video, and the need for Apple to address the issue promptly. [79870, 79914, 80253, 80454, 87397, 80237, 79859, 79949, 80254, 80328, 80091] (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - There were no other consequences reported in the articles. |
| Domain | information | (a) The failed system in the articles was related to the information industry. The FaceTime bug in Apple's software allowed users to eavesdrop on others and even see through their camera without their knowledge, impacting the privacy and security of communication systems [Article 80254]. (b) The transportation industry was not directly related to the software failure incident reported in the articles. (c) The natural resources industry was not directly related to the software failure incident reported in the articles. (d) The sales industry was not directly related to the software failure incident reported in the articles. (e) The construction industry was not directly related to the software failure incident reported in the articles. (f) The manufacturing industry was not directly related to the software failure incident reported in the articles. (g) The utilities industry was not directly related to the software failure incident reported in the articles. (h) The finance industry was not directly related to the software failure incident reported in the articles. (i) The knowledge industry, encompassing education and research, was not directly related to the software failure incident reported in the articles. (j) The health industry, including healthcare and health insurance, was not directly related to the software failure incident reported in the articles. (k) The entertainment industry was not directly related to the software failure incident reported in the articles. (l) The government industry, involving politics, defense, justice, taxes, and public services, was not directly related to the software failure incident reported in the articles. (m) The software failure incident was not related to an industry outside of the options provided. |
Article ID: 79870
Article ID: 79914
Article ID: 80253
Article ID: 80454
Article ID: 87397
Article ID: 80237
Article ID: 79859
Article ID: 79949
Article ID: 80254
Article ID: 80252
Article ID: 80334
Article ID: 80090
Article ID: 79940
Article ID: 80328
Article ID: 80091
Article ID: 80083