Apple has made Group FaceTime temporarily unavailable following a major flaw discovered on Monday evening. The bug allows anyone with iOS to FaceTime other iOS users and listen in on their private conversations – without the user on other end rejecting or accepting the call.
The bug makes use of a new function presented in FaceTime as part of iOS 12.1, called Group FaceTime. According to Apple’s System Status support page, Group FaceTime is temporarily unavailable following an issue ongoing since Monday night at 10:16 p.m.
“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” an Apple spokesperson told Threatpost.
Reports of the flaw first began to emerge on Reddit after users reported being able to hear others after FaceTiming them.
In order to take advantage of the flaw, users can first start a FaceTime call with a contact in who also has iOS.
While the call is dialing, they can then swipe up at the bottom of the screen, which lifts the panel and gives them the option to “Add Person.” Users can then click “Add Person” and add their own phone number.
This then begins a FaceTime call that includes the phone user and the audio of the outgoing call – even if the person being called hasn’t accepted the call yet.
https://twitter.com/BmManski/status/1089967572307640325
The “Add Person” button is a result of a new feature presented in iOS 12.1 called Group Facetime, which was added Oct. 30th.
The bug is believed to impact any pair of devices running iOS 12.1 or later, according to reports.
The privacy and security implications of such a flaw are tremendous – a person could essentially make a FaceTime call to anyone with an iOS device and listen in to their private conversations.
The discovery of the flaw led to social media backlash, and even a statement from New York Governor Andrew Cuomo urging Apple users to disable FaceTime: “The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk… In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release a fix without delay.
Meanwhile, experts in the security space – like Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation – urged iOS users to delete their FaceTime function until a fix becomes available.
The Facetime bug works in both iOS and MacOS, so now would be a good time to disable Facetime on everything and then pour out a 40 for the Apple security team.
— Eva (@evacide) January 29, 2019
While it’s not clear how long the privacy bug has been around, one Twitter user on Jan. 20 said in a Tweet that the bug had been discovered and reported to Apple: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.”
It’s not the first privacy-related security issue the phone giant has faced in the past year – in March 2018 Apple confirmed a privacy bug in its iPhone that allows the Siri voice assistant to read out messages from locked screens – even if the messages are hidden.
Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.
