Apple Rushes to Fix Serious FaceTime Eavesdropping FlawCallers Can Hear and See Recipients Before They Pick Up
Apple has disabled Group FaceTime after reports emerged on Monday that the feature could be abused to eavesdrop on iPhone users.
See Also: The Evolution of Email Security
"We're aware of this issue and we have identified a fix that will be released in a software update later this week," an Apple spokesman tells Information Security Media Group.
Apple's system status page says that Group FaceTime, as of 3:16 a.m. British Time, remains "temporarily unavailable" due to an "issue."
The technology giant's move follows an exploit for the flaw going viral via social media and Reddit on Monday after a proof-of-concept demonstration video was posted.
As 9to5mac has reported, exploiting the flaw involves a caller contacting someone via FaceTime, and while the call is dialing, swiping up to "Add Person" to the call, and then entering the caller's phone number.
"You will then start a Group FaceTime call including yourself and the audio of the person you originally called, even if they haven't accepted the call yet," 9to5mac reports. Exploit variations have also been found. For example, press the power button on the lock screen, and that allows a caller to see a recipient's video feed as well as hear audio, it says. A recipient, however, will be unaware, only seeing on their screen the ability to either accept or decline the incoming voice or video call.
Chris Pierson, CEO of concierge cybersecurity firm BlackCloak, tells ISMG that his company's cybersecurity team has also confirmed that the flaw provides third-party access to a targeted iPhone or iPad microphone and video camera feed.
"This means unfettered access to whoever is in listening or visual range of the device - from boardrooms, private offices, financial institutions and our bedrooms it is possible to gain access to this private information," Pierson says.
NSA Warning: 'Turn Off FaceTime'
News of the flaw led social media moguls and offensive hacking experts alike to urge iPhone users to take action.
"Disable FaceTime for now until Apple fixes," Twitter CEO Jack Dorsey tweeted.
"iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off," tweets Rob Joyce, the National Security Agency's senior adviser for cybersecurity strategy to the director
Pierson says that anyone who deals with sensitive information should heed these warnings posthaste.
"Individuals who deal with sensitive financial data, government secrets, healthcare data or intellectual property, as well as top corporate executives and board members, should take head and immediately disable FaceTime on all of their devices until a patch has been implemented," Pierson says. "This is a critical watershed event in potentially allowing the unfettered access to all Apple products' cameras and microphones and a huge miss by the company."
iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off. https://t.co/hIRukshaTE— Rob Joyce (@RGB_Lights) January 29, 2019
But Apple has earned plaudits for responding quickly - and by disabling Group FaceTime altogether pending a fix, apparently forcefully reacting to the privacy problem.
"Good response by Apple for quite possibly one of the most significant privacy/security bugs the company has had to deal with in recent years (if not ever?): remote hotmic," tweeted privacy expert Ashkan Soltani, who previously served as the CTO for the Federal Trade Commission.