Apple late Wednesday said it disabled the Walkie-Talkie app on Apple Watch after being alerted to a vulnerability that allows a user to surreptitiously listen in on another iPhone’s audio.
In a statement issued to TechCrunch, Apple said it was made aware of the bug through its product security reporting service, which allows developers, researchers and others to flag security and privacy issues via email.
Apple did not specify how the Walkie-Talkie flaw works, but in a statement said the bug “could allow someone to listen through another customer’s iPhone without consent.” A more detailed rundown might be provided in release notes accompanying a consequent watchOS security update. Whatever the case, the vulnerability is apparently serious enough to prompt Apple to deactivate a major platform feature.
The company told TechCrunch that while the bug has not been spotted in the wild, it has decided to temporarily disable Walkie-Talkie until a fix is in place. Apple will keep the Walkie-Talkie app on user devices as a patch is developed and deployed, suggesting the vulnerability at least partially impacts server-side assets.
We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.
Walkie-Talkie was introduced last year as a tentpole feature of watchOS 5. A modern take on push-to-talk communication methods popularized by two-way radios — and later transformed into a cellular service option by Nextel and other handset makers — Walkie-Talkie enables Apple Watch users the ability to send ephemeral audio messages to one another through the cloud.
Apple’s decision to disable Walkie-Talkie is reminiscent of its handling of the Group FaceTime fiasco earlier this year.
In January, teenager Grant Thompson discovered a particularly insidious bug that allowed any iPhone owner to eavesdrop on another user simply by adding that person’s number to a Group FaceTime call. The vulnerability granted access to a target device’s microphone without user intervention.
As word of the FaceTime exploit spread, Apple was forced to disable the feature until a fix was rolled in an update issued about a week later.
Thompson, whose mother attempted to inform Apple of the bug multiple times a week before it went viral, was ultimately paid a bug bounty and scholarship for finding the flaw.
Apple has not provided an estimated timeline of completion for the Walkie-Talkie fix.