Fourteen-year old Grant Thompson was just trying to play video games with friends on a day off from school when he made an alarming discovery: a bug in Apple’s FaceTime tool that could turn iPhones into eavesdropping devices.
On Monday, more than a week later, Apple disabled its Group FaceTime feature after other users detected the bug and posted videos of it in action on social media.
Apple told CNN Business in a statement it identified a fix for the issue and plans to roll out a software update later this the week.
In the nine days between Grant discovering the bug and Apple publicly addressing it, Grant’s mom, Michele Thompson, said she tried everything she could think of to get Apple’s attention. She emailed, called, tweeted at CEO Tim Cook and even faxed a letter on her law firm’s letterhead.
An attorney in Tucson, Arizona, she wanted to make sure Apple fixed the problem before it fell “into the wrong hands.”
On January 20, she posted about the issue on Facebook and Twitter: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff! ”
She was careful not to share too many details on social media, so people wouldn’t know how to recreate it.
On Friday, Grant’s mother emailed a bug report and a video to a representative in Apple’s Product Security department. Thompson hadn’t heard back before the bug’s discovery blew up on social media.
“It’s exhausting and exasperating,” Michele Thompson said of the reporting process. “It’s very poorly set up especially for the average citizen. I feel like I went above and beyond.”
Her son discovered the glitch when he FaceTimed a friend who didn’t pick up. He swiped up on his iPhone to add a friend to the Group chat, a feature that until it was disabled worked on iPhones and iPads running iOS 12.1, and Apple PCs running macOS Mojave.
Grant realized he could hear everything coming through the first friend’s iPhone, even though that person hadn’t answered. The friends immediately tried to recreate what happened. In some cases, users said, the bug could even access a recipient’s camera.
“We tested a few more times and found out we could get people to force answer FaceTime calls,” Grant Thompson told CNN Business. “After we confirmed that it worked, I went and told my mom.”
A freshman in high school, Grant told CNN Business he’s “pretty into technology and stuff,” and thinks it would be cool if Apple acknowledged his find.
Like many tech companies, Apple has a bug bounty program that offers financial rewards for some discoveries. The program, launched in 2016, pays up to $200,000 for detecting bugs, but some third-party companies will offer more.
Bug reports go through Apple’s developer site, but the company told Thompson non-developers can use it. However, most companies don’t have a public-facing way to report these types of bugs.
“Apple has a clear reporting channel, and even pays rewards for certain bugs — a.k.a. bug bounties — but these channels are likely only obvious if you’re in the security industry and already know where to go to report. [It’s] not so clear for consumers,” Katie Moussouris, the CEO of Luta Security, which helps companies and governments work with hackers, said in an email. “Except in this case, the customer support team and the social media team (and whoever got that fax) didn’t quite know how to remove obstacles and friction from the reporting process.”
It’s important for companies and government agencies to have a public-facing way to report bugs, according to Marten Mickos, CEO of HackerOne, a cybersecurity firm that connects security researchers with companies.
“Even if millions of people find nothing to report, and thousands may report something that isn’t really a bug, it still is worth it when just one person finds and can describe the bug,” Mickos said.
Apple did not respond to a request for comment about the Thompsons’ bug report or if other users flagged the issue.
“Even if the bug had gotten to the right people on day one after discovery, under normal operations, the investigation alone might take a few days or longer for complex issues, let alone creating and testing a fix,” said Moussouris.
Mickos said giving rewards serves a good purpose, such as setting a good example for everyone else and showing the company values cybersecurity, he said.
After detecting the bug, Grant told his mom he was hoping to get a MacBook Pro, an iPhone X and some AirPods as a reward for spotting the bug. Although she said they didn’t report the issue for a reward, she believes Apple should acknowledge her son.
“Apple should reward people for reporting things of this nature — not just reward the developers or the people who are savvy with tech,” said Thompson. “I think just thanking him would be great,” she said.