News breaks of a vulnerability in the group functionality of its FaceTime application that allows users to eavesdrop on the people being called, even if they didn’t pick up the call!
The shockingly simple exploit works with any pair of iOS devices running iOS 12.1 or later. ”The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone – before the person on the other end has accepted or rejected the incoming call” according to Benjamin Mayo at 9to5Mac who first broke the story and adds “there’s a second part to this which can expose video too…”
The exploit really is stupidly easy to pull off, essentially just requiring the caller to add their own number while a call is dialing in order to start a group chat that includes themselves and the audio of the person being called. It doesn’t matter if the recipient has accepted the call or not, all audio captured while the iPhone is ringing can be heard by the caller. If the recipient presses the power button from the lockscreen, used to accept or reject the incoming FaceTime chat, then video is also sent to the caller. One user, @Jessassin, tweeted that if you join the call using your invitation on another iPhone then you also get the video stream despite the call not being answered on the destination device.
What’s more, the bug isn’t limited to iPhone users and if the recipient is using a Mac then, as it rings for a longer default than a handset, the eavesdropping can potentially continue for a longer period. This is particularly worrying as a Mac user may well be away from the device for a long, certainly more so than we are from our smartphones, and during that time anyone could be listening in on whatever was happening in that house or office.
So, what do you need to do now? The good news is that Apple has responded by temporarily suspending the Group FaceTime functionality until a permanent fix can be rolled out. An Apple spokesperson told BuzzFeed that a fix “will be released in a software update later this week.” However, there have been reports of some users still able to exploit the eavesdropping vulnerability even after Apple made this announcement, 9to5Mac being among them.
Which is why I would recommend that, until you can be sure that the vulnerability has been patched and the eavesdropping exploit no longer works, you disable FaceTime on all your devices. On an iPhone or IPad this is simply a matter of going to settings and switch the toggle for the FaceTime icon to off. On a Mac, however, you need to open the FaceTime app and then click ‘FaceTime’ in the menu bar and turn it off from there.