SAN FRANCISCO — On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected discovery: Using FaceTime, Apple’s video chatting software, he could eavesdrop on his friend’s phone before his friend had even answered the call.
His mother, Michele Thompson, sent a video of the hack to Apple the next day, warning the company of a “major security flaw” that exposed millions of iPhone users to eavesdropping. When she didn’t hear from Apple Support, she exhausted every other avenue she could, including emailing and faxing Apple’s security team, and posting to Twitter and Facebook. On Friday, Apple’s product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report.
But it wasn’t until Monday, more than a week after Ms. Thompson first notified Apple of the problem, that Apple raced to disable Group FaceTime and said it was working on a fix. The company reacted after a separate developer reported the FaceTime flaw and it was written about on the Apple fan site 9to5mac.com, in an article that went viral.
The bug, and Apple’s slow response to patching it, have renewed concerns about the company’s commitment to security, even though it regularly advertises its bug reward program and boasts about the safety of its products. Hours before Apple’s statement addressing the bug Monday, Tim Cook, the company’s chief executive, tweeted that “we all must insist on action and reform for vital privacy protections.”
The FaceTime problem has already been branded “FacePalm” by security researchers, who say Apple’s security team should have known better. Rarely is there a software flaw that grants such high-level remote access and is so easy to manipulate: By adding a second person to a group FaceTime call, you can capture the audio and video of the first person called before that person answers the phone, or even if the person never answers.
“If these kinds of bugs are slipping through,” said Patrick Wardle, the co-founder of Digita Security, which focuses on Apple-related security, “you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught.”
On Monday, Apple said it was aware of the issue and had “identified a fix that will be released in a software update later this week.”
But the company has not addressed how the flaw passed through quality assurance, why it was so slow to respond to Ms. Thompson’s urgent warnings, or whether it intends to reward the teenager whose mother raced to alert the company to the bug in the first place.
A bug this easy to exploit is every company’s worst security nightmare and every spy agency, cybercriminal and stalker’s dream. In emails to Apple’s product security team, Ms. Thompson noted that she and her son were just everyday citizens who believed they had uncovered a flaw that could undermine national security.
“My fear is that this flaw could be used for nefarious purposes,” she wrote in a letter provided to The New York Times. “Although this certainly raises privacy and security issues for private individuals, there is the potential that this could impact national security if, for example, government members were to fall victim to this eavesdropping flaw.”
Unknown to Ms. Thompson, there is a healthy market for bugs and the code to weaponize them, which allow governments, defense contractors and cybercriminals to invisibly spy on people’s devices without their knowledge, capturing everything from their locations to information caught on their microphones and cameras. The FaceTime flaw, and other Apple bugs, can fetch tens of thousands, if not hundreds of thousands or even millions of dollars, from dozens of brokers. Those brokers then sell those bugs for ever higher sums to governments and intelligence and law enforcement agencies around the world. On the seedier side of the spectrum are brokers who will sell these tools on the dark web to the highest bidder.
The only catch is that hackers must promise never to disclose the flaw to the vendor for patching, so that buyers can keep their access.
The market for Apple flaws has soared in the post-Edward Snowden era as technology makers include more security, like end-to-end encryption, to thwart would-be spies. This month, Zerodium, a well-known broker, raised its reward for an Apple iOS bug to $2 million.
In part to compete in that market, and reward those who do right by the company by notifying it of potentially lucrative bugs, Apple announced its own bounty program in 2016 — the last of the Silicon Valley companies to do so.
At a hacker conference that year in Las Vegas, Apple made a surprise announcement: It said it would start paying rewards as high as $200,000 to hackers who responsibly turned over crucial flaws in its products. But the bounty program has been slow going, in part, hackers say, because they can make multiples of that bounty on the black market, and because Apple has taken its time rewarding them for reporting problems.
The FacePalm bug is a particularly egregious case, researchers say, not just because it was discovered by a teenager simply trying to use his phone, but because it allowed full microphone and video access.
“This is a bug that Apple’s Q&A should have caught,” Mr. Wardle said. “And where there’s smoke, there’s almost always fire.”
Bug brokers say FacePalm, while impressive, would not have brought a top price because it leaves a record of the attack. The flaw works only if you FaceTime the person you want to capture audio and video for, notifying your target of the call.
Bugs that fetch $2 million or $3 million on the black market leave no trace, work more than 99.5 percent of the time and work instantaneously, said Adriel Desautels, the chief executive of Netragard, a company that helps firms protect their software.
In this case, Mr. Desautels said, FacePalm is not as dangerous as a flaw that can covertly track someone’s location, turn on that person’s camera and capture video without a trace.
But, he added, “it’s pretty good for a high schooler.”