On October 20th, 2018 Apple announced Group FaceTime for its iOS devices. Three weeks later, on Mon., Jan. 28th, Apple announced a major flaw in this new feature. If someone initiated a FaceTime call, and then added themselves to it, the phone of the original person would start transmitting their audio before they picked up. Therefore, the person making the call could eavesdrop on the other party without them knowing. This made international news, and I am sure this is not the first time you are hearing about it. However, I think it serves as a stark warning for anyone who works with equipment that is attached to the internet.
The first lesson we can learn from this flaw, is how it was discovered. According to news reports it was discovered, accidentally, by a teenager in Arizona who was trying to set up a FaceTime group to play video games with his friends. That’s right — this was not a hacker in the basement trying to find a secret hidden hole. It was a kid, who just happened to hit the wrong button. The lesson is, you don’t want to be the person who is hit by something that you should have caught. A question such as, “What happens if I add myself to this call?”, is something every developer would (or should) ask as they develop these tools. This flaw is akin to someone breaking into your systems because you never changed the default username and password. The first lesson in securing your systems is to do the very obvious things first. So, go and change your passwords and usernames now. Go and update the firmware of any devices that have had security patches put out. Go and put your systems behind your corporate firewall. Do all of these very easy things and do them NOW!
The second lesson we can gather from this is the reaction from Apple. According to news reports, this flaw was discovered at least a week before Apple went public with it. The mother of the boy who discovered it apparently tried in vain to reach Apple and let them know about the flaw. The response she got, when she finally got one, was that she should become a developer and report it that way. It seems that it was finally reported by a developer after that developer read about the flaw on social media. Then, after it went public on January 28th, it still took Apple until 10 p.m. that evening (according to their status page) to turn off Group FaceTime. We can learn from this that we need to be prepared for such a breach or flaw. You should have a plan in place for what you do when you learn about a problem, and you should make it very easy for someone to report it to you. If you learn of an issue, your plan should include how you communicate with your customers, with your staff and what actions you will take to remediate the problem. A proactive “we want to prevent a problem” will always be received better than a reactive “I’m sorry, but” response.
Securing the equipment on your network is an enormous task — perhaps so enormous that many people can’t wrap their head around it, and therefore, simply stick their heads in the sand. We know this is not the appropriate approach, but where do we start? In my first lesson learned above, I gave you the first place to start. That is reasonably easy and you can spread tasks out among your staff. The second place to start is where, if there was a breach, your company would suffer the most consequences. When I think of these places, I think of R&D, in large firms. You don’t want your research getting out. Another place may be the financial offices or your salespeople. You don’t want your customers’ contact information stolen, and you don’t want other firms knowing your financial standings or what you are going to bid on upcoming projects. Take those spaces first. Do one at a time, and then move onto the next one. Eventually, you will get to a point where you have done more than you expected.
Security in the age of ubiquitous connections is a scary and tremendous challenge. However, the worst things you can do is pretend that it will never happen to you. When you have to sit down with auditors, post-breach, you will want to be able to tell them you did everything you possibly could to prevent it. Additionally, you will want to look your customers in the face and tell them the same.