After facing down an embarrassing Group FaceTime bug that let callers hear audio near unanswered iPhones, Apple is today combatting a similar Apple Watch issue (via TechCrunch): The Walkie-Talkie app introduced last year in watchOS 5 apparently triggers the same sort of iPhone vulnerability, and has been disabled while Apple works on a fix.
Apple revealed the flaw and its efforts to remedy the problem overnight, disabling Walkie-Talkie’s ability to make automatic connections between Apple Watch devices. When loaded, the app appears to work properly until a person is selected for communications, at which point a spinning indicator with “Checking availability” continuously loops without making a connection. That’s a temporary, server-side disabling of the feature that’s short of removing the app altogether.
In a statement, Apple said:
We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.
While the nature of the bug is extremely concerning, Apple’s response this time appears to be a major improvement over its prior response to the Group FaceTime bug. The company indicated that it was “just” made aware of the problem through its vulnerability report portal, which suggests that it took action quickly rather than waiting days to months, or putting bug finders through a gauntlet before taking their claims seriously.
On the other hand, the fact that the Walkie-Talkie exploit exists at all is somewhat surprising. Walkie-Talkie relies upon FaceTime Audio to convey nearly instant voice messages between Apple Watches, eliminating the need for users to formally accept each communication as it comes in before it plays back. Once a user accepts an invitation from someone else, voice messages can be pushed to and heard from a Watch — but, at least as far as users are aware, not recorded or conveyed unless the user presses a large “push to talk” button on the Watch’s face.
As a result, it’s unclear how the exploit enables unwanted listening on the paired iPhone, but some underlying FaceTime Audio insecurity appears to be responsible, and again left iPhone users with no way of knowing — visible or otherwise — that their devices could be listening to them. Apple says that the feature will be disabled on its servers until a device-specific fix can be rolled out in software updates; it will likely need to be rolled out in iOS 12 and watchOS 5, as well as beta software for iOS 13 and watchOS 6.