Home » Cybersecurity » IoT & ICS Security » Massive Apple FaceTime Privacy Bug, Selling Your Privacy for Money, Insecure Smart Light Bulbs – WB54

Massive Apple FaceTime Privacy Bug, Selling Your Privacy for Money, Insecure Smart Light Bulbs – WB54

by Tom Eston on February 4, 2019

Watch this episode on our YouTube Channel!

This is your Shared Security Weekly Blaze for February 4th 2019 with your host, Tom Eston. In this week’s episode: The massive Apple FaceTime privacy bug, selling your privacy for money, and insecure smart light bulbs.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

In breaking news this past week, a very serious privacy bug in Apple FaceTime was found by a 14-year-old high school student who was trying to FaceTime his friends while playing Fortnite. The bug allows someone to force other Apple devices that have FaceTime installed (everything from iPhones, iPads and laptops or Mac’s running newer versions of macOS) to answer a FaceTime call, even if the other person doesn’t take any action. Essentially, this turns an iPhone into a surveillance device where the microphone stays active. If you’re interested in learning more about the fascinating story on how this bug was discovered and the painful path that this 14-year-old and his parents had to take to notify Apple of the issue, check out the link provided in our show notes for this episode. In response to this bug, Apple has disabled group FaceTime functionality but it’s still not a bad idea to turn off FaceTime in your Apple device settings until a patch is released. Apple states that an update will be issued in coming weeks. In the meantime, be sure to follow the podcast on Twitter, Facebook and Instagram for the latest updates on when a patch will be released.

Sponsorships Available

Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.

Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.

Visit edgewise.net to get your free month of visibility.

Facebook was in the news once again this past week when it was revealed in a TechCrunch story that Facebook was secretly paying users, from 13 to 35 years old, up to $20 per month plus referral fees to install an app called “Facebook Research” or known internally at Facebook as “Project Atlas”. This app is essentially a VPN and allowed Facebook to capture almost all data being used on an a personal Apple device including messages, photos, phone call data, and web browsing history. Facebook even went as far as to distribute this app outside of the Apple AppStore through Apple’s Enterprise Developer Program, which Apple designed for companies to distribute apps within an organization. The TechCrunch story prompted Apple last week to revoke Facebook’s access to this program as a terms of service violation because Facebook was using the Enterprise Developer Program to distribute “internal only” apps to the public.

Dan Goldstein, president and owner of Page 1 Solutions, a digital-marketing agency says “This shows, once again, that Facebook doesn’t value user privacy and goes to great lengths to collect private behavioral data to give it a competitive advantage. The FTC is already investigating Facebook’s privacy policies and practices. As Facebook’s efforts to collect and use private data continue to be exposed, it risks losing market share and may prompt additional governmental investigations and regulation”. In related news, Google has removed a similar app called “Screenwise Meter” from Apple’s Enterprise Developer Program in fear that Apple would also revoke their access to this program. Google was doing the exact same type of thing where they were using a program designed to be used internally by organizations to distribute an app to the public. Screenwise Meter is very similar to the Facebook Research app in that it collects similar data such as browsing history.

It seems that we’re starting to see more instances of tech companies offering money or other incentives in return for your private data. What do you think? Is this creepy or just the new world we live in? Would you participate in one of these programs where you allow access to your private photos, web browsing history and phone calls in return for money and gift cards? Let us know by commenting on our social media feeds and the show notes for this episode.

Don’t just throw away that cheap smart lightbulb that just went bad. Instead, you may want to smash it with a hammer before throwing it out as many of these lightbulbs appear to be storing sensitive information like your Wi-Fi password and other secrets. But is this news really that concerning? Well, in a series of blog posts posted by “Limited Results”, a blogger shows how easy it is to access the firmware of several different low cost smart lightbulb’s. These are products that you would typically find for sale on Amazon. Once the firmware was dumped to a computer, simple searches revealed network login information such as Wi-Fi network SSID’s and passwords, and other information like root certificates and private keys. The problem? Many cheap products like these take a lot of shortcuts by storing private information insecurely on the device.

Now, I wouldn’t be surprised if we see similar issues with most devices that fall into the category of the “Internet of Things”. From smart thermostats, sprinkler systems, power outlets and more, we should assume these devices are also prone to similar flaws. And that is, not building security in from the beginning when these products are designed. Unfortunately, much of the advice that I see being mentioned to better secure these devices are to only install them on a separate, segmented wireless network that is different than the one that you’re using for Internet access. While that seems reasonable, how many of us are actually doing this in practice? I’ll bet that the average home user of these products wouldn’t even think about this or know how to set up a separate network in the first place. In fact, most people don’t even know how to change the default network name or set a secure password to begin with. But ultimately, the risk of these devices falling into the wrong hands, and the work it takes to extract sensitive information is probably not worth the time of most criminals. I think there is a greater risk of your home being broken into by a thief through a window than getting your Wi-Fi password extracted from one of these devices.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.