Privacy
Apple
Apple disables Group FaceTime after major eavesdropping bug discovered
Turns out what happens on your iPhone, doesn't actually stay on your iPhone
Turns out what happens on your iPhone, doesn't actually stay on your iPhone
Apple has temporarily disabled its new Group FaceTime feature after a major privacy bug was discovered. The bug exposed a recipient's audio and video without them answering an incoming call.
The bug was first tweeted about on January 21, when a mother raised the issue with Apple boss Tim Cook via Twitter, saying her teenage son had discovered the FaceTime flaw.
9to5Mac then reported it on January 28. It was found to share the recipient's audio with the caller before they had decided to accept or reject the call.
The bug is specifically a problem with Group FaceTime, the feature only recently launched by Apple (after a delay) where many iOS and Mac users can join an audio or video call simultaneously.
The bug worked like this:
Now you can answer for yourself on FaceTime even if they don't answer🤒#Apple explain this.. pic.twitter.com/gr8llRKZxJ
— Benji Mobb™ (@BmManski) January 28, 2019
It was later found that if the recipient pressed the home button (or swiped up to go to their home screen) while being called, the video feed from their device's front-facing camera would automatically be sent to the caller. The recipient remained unaware of all of this, instead seeing only the normal accept/decline screen without hearing or seeing the caller.
It was also found that the recipient's video would be sent to the caller if they pressed either of their device's volume buttons too.
This isn't very comfortable for Apple, which caused a stir at the CES technology show in Las Vegas earlier this month. As a dig against its rivals' patchy security, Apple put up a huge billboard right outside the convention center, reading: "What happens on your iPhone, stays on your iPhone."
The FaceTime bug quickly went viral after an artist in Chicago, Beni Mobb, posted a video of it to Twitter on January 28. Evidence of the bug then went viral across Twitter and Snapchat.
My teen found a major security flaw in Apple's new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews
— MGT7 (@MGT7500) January 21, 2019
However, it looks as if the bug was first tweeted about on January 21. A Twitter user called MGT7 said their teenage son had "found a major security flaw...he can listen in to your iPhone/iPad without your approval."
The woman says she submitted a bug report to Apple and filed "letters, emails, tweets and messages" to Apple but "never heard back from them."
She tweeted to Apple CEO Tim Cook on January 21: "This is real...trying to get Apple's attention to get this addressed. I'm just a mom of a teenager who found a huge security problem in your new update."
Naturally, it doesn't take much imagination to realize the harm such a bug could have. The caller would hear anything the recipient says before answering or rejecting the call, perhaps to a coworker or anyone else.
Apple said it was "aware of this issue, and we have identified a fix that will be released in a software update later this week."
On Monday evening, Apple's system status page acknowledged the issue, described it as "ongoing," and said: "Group FaceTime is temporarily unavailable."
Cybersecurity experts were quick to comment on the flaw. Graham Cluley posted to his website: "Right now, it's hard to tell just how serious this crappy bug is. It doesn't feel like a way for - say - a state-sponsored attacker to open a persistent hot mic on a targeted phone in another nation's government.
"But I would still be deeply disturbed if someone could spy on me, even for a short while, without me noticing. It's easy [to see] how jealous partners and obsessive stalkers might also use it to spy on the vulnerable."
Rubbing salt into the wound, Monday, the day Apple pulled Group FaceTime, was Data Privacy Day (known in Europe as Data Protection Day), a day intended to raise awareness and promote privacy and data protection best practices. It is observed in the US, Canada, Israel and much of Europe..
GearBrain Compatibility Find Engine
A pioneering recommendation platform where you can research,
discover, buy, and learn how to connect and optimize smart devices.
Join our community! Ask and answer questions about smart devices and save yours in My Gear.