Apple has temporarily disabled its new Group FaceTime feature after a major privacy bug was discovered, exposing a recipient's audio and video without them answering an incoming call.
The bug was first tweeted about on January 21, when a mother raised the issue with Apple boss Tim Cook via Twitter, saying her teenage son had discovered the FaceTime flaw.
It was then reported by 9to5Mac on January 28, and was found to share the recipient's audio with the caller before they had decided to accept or reject the call.
The bug is specifically a problem with Group FaceTime, the feature only recently launched by Apple (after a delay) where many iOS and Mac users can join an audio or video call at once.
The bug worked like this:
- Call a contact using FaceTime
- As soon as it starts ringing, go to add another contact to the call
- Pick yourself as the additional contact
- You can now hear the audio of the recipient, even if they haven't answered yet
What's more, it was later found that if the recipient pressed the home button (or swiped up to go to their home screen) while being called, the video feed from their device's front-facing camera would automatically be sent to the caller. The recipient remained unaware of all of this, instead only seeing the normal accept/decline screen, without hearing or seeing the caller.
It was also found that the recipient's video would be sent to the caller if they pressed either of their device's volume buttons too.
This is deeply embarrassing for Apple, which caused a stir at the CES technology show in Las Vegas earlier this month. As a dig against the patchy security of its rivals, Apple put up a huge billboard right outside the convention center, reading: "What happens on your iPhone, stays on your iPhone."
The FaceTime bug quickly went viral after a video of it was posted to Twitter on January 28 by Beni Mobb, an artist in Chicago. Evidence of the bug then went viral across Twitter and Snapchat.
However, it looks as if the bug was first tweeted about on January 21. A Twitter user called MGT7 said their teenage son had "found a major security flaw...he can listen in to your iPhone/iPad without your approval."
The woman says she submitted a bug report to Apple and filed "letters, emails, tweets and messages" to Apple but "never heard back from them."
She tweeted to Apple CEO Tim Cook on January 21: "This is real...trying to get Apple's attention to get this addressed. I'm just a mom of a teenager who found a huge security problem in your new update."
Naturally, it doesn't take much imagination to realize the harm such a bug could have. Anything the recipient says before answering or rejecting the call, perhaps to a coworker or anyone else, would be heard by the caller.
Apple said it was "aware of this issue and we have identified a fix that will be release in a software update later this week."
As of Monday evening, Apple's system status page acknowledged the issue, described it as "ongoing" and said: "Group FaceTime is temporarily unavailable."
Cybersecurity experts were quick to comment on the flaw. Graham Cluley posted to his website: "Right now, it's hard to tell just how serious this crappy bug is. It doesn't feel like a way for - say - a state-sponsored attacker to open a persistent hot mic on a targeted phone in another nation's government.
"But I would still be deeply disturbed if someone was able to spy on me, even for a short while, without me noticing. It's easy [to see] how it might also be used by jealous partners and obsessive stalkers to spy on the vulnerable."
Rubbing salt into the wound, Monday the day Apple pulled Group FaceTime, was Data Privacy Day (known in Europe as Data Protection Day), a day intended to raise awareness and promote privacy and data protection best practices. It is observed in the US, Canada, Israel and much of Europe..