Security flaw allowed iPhone users to drop-in on contacts via FaceTime

It was actually possible to hear a Group Facetime conversation before the call is picked up

iPhone XR

In what could go down as one of the most significant security flaws in Apple’s history, a new software bug has been uncovered allowing users to listen to contacts via Apple’s FaceTime video chat platform.

The glitch lets users contact someone via FaceTime and then automatically hear the other person before the call is picked up.

The issue, which has been reported by Bloomberg as well as 9to5Mac, seems to only occur with Group FaceTime calls and requires somewhat specific circumstances. MacRumors was also able to get the bug to work on a Mac, so it appears the glitch does not just affect Apple’s iPhone

Bloomberg reports that users need to launch a conference call, input someone’s phone number and then add the number of an additional person. While waiting for the first person to pick up, if the second participant answers, the audio feed from the first contact is automatically turned on, allowing you to hear what their mic is picking up even if they don’t answer.

As a result of the bug, it’s actually possible to listen to an ongoing FaceTime conversation without the person on the other end knowing you can hear them.

Taking the flaw a step further, The Verge is reporting that if the recipient of the conference call presses the power or volume button to ignore the call, video, as well as audio, is broadcasted without the recipient’s knowledge.

MobileSyrup was able to independently confirm and replicate the flaw with an iPhone 8 Plus running iOS 12.1.2 and an iPhone X on iOS 12.1.3.

As far as security flaws go, this one is particularly serious, especially given the emphasis has Apple placed on privacy recently when it comes to its devices and operating systems.

Examples of various people confirming the issue are widely available on social media, including tweets from notable tech reporters. The release of Apple’s Group FaceTime calling feature was delayed a number of months due to software bugs.

Tim Cook sent out the following tweet earlier today regarding data privacy:

In a statement to BuzzFeed News, a representative from Apple said that the company is “aware of this issue and we have identified a fix that will be released in a software update later this week.” A few hours after news of the exploit broke, Apple disabled the FaceTime’s Group Calling feature. According to Apple’s System Status page, the company notes that “Group FaceTime is temporarily unavailable.”

It’s likely that the update will be included in the public version of iOS 12.2, the same iteration of Apple’s operating system that is set to bring Apple News to Canadian iPhone users. It’s unclear how long Apple has been aware of the bug and if the company had plans to disclose it prior 9to5Mac posting about the flaw.

Given that the bug doesn’t seem to work with my iPhone XS Max running the iOS 12.2 beta, it’s likely that Apple was aware of the issue.

In order to deactivate FaceTime on your iOS device, navigate to ‘Settings,’ then tap on ‘FaceTime’ and select ‘Off.’

Update 02/01/2019: Apple has released the following statement about the Group FaceTime glitch, stating that the company is “improve the process” regarding issues like this being reported.

“We have fixed the Group FaceTime security bug on Apple’s server’s and we will issue a security update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug.

We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the but, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible.

We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.”

Update 01/29/2019: Apple has disabled FaceTime’s Group Calling feature. According to the company’s System Status page, Apple notes that “Group FaceTime is temporarily unavailable.” The story has been updated with this information

Source: Bloomberg, 9to5Mac, BuzzFeed News, The Verge