Apple FaceTime has a critical flaw
Published 3:00 am Friday, February 8, 2019
On January 28, Apple disabled the Group FaceTime feature on its phones. As of February 7, the features continue to be disabled, according to Apple’s System Status Page located at https://www.apple.com/support/systemstatus/.
What prompted the removal of the feature? Apple fans have complained about the lack of group FaceTime for years; the feature debuted on October 30, 2018, which allows up to 32 people to participate in a video chat at the same time. Honestly, I’ll offer that I’ve never needed to speak with 31 other people at the same time for any reason; but if the need ever arises, I’ll have a resource.
The rather swift removal of the feature is the result of a bug in the application. Apple indicated that a fix would be issued last week for the issue; however, the service continues to be disabled and a patch hasn’t been published.
Ironically, the flaw caught media attention on National Data Privacy Day, which was recognized on January 28. I wonder if the reveal of the flaw was timed to coincide with the Privacy Day.
In a few words, the flaw will allow an iPhone to become an effective eavesdropping device.
The bug allows an iPhone user to call another Apple device via the FaceTime video chat application and the caller can hear audio on the other end before the intended recipient answers the FaceTime call. Furthermore, the flaw appears to enable the front-facing camera so that you can also see what is going on the recipient’s end as well.
All of this occurs without the remote user’s knowledge, in effect creating an eavesdropping device.
How does it work?
I was able to reproduce the issue rather easily, with a willing participant. The bug works by calling a person via FaceTime. Before the person answers, add yourself as an additional group FaceTime participant. Basically, swipe up from the bottom of the screen to add another user to the call and add your own phone number. While the phone is still ringing, you’ll be able to hear audio from the intended recipient’s phone, even though that person hasn’t accepted the call. Additionally, I attempted the same scenario by placing a FaceTime call to my Mac – the same results were presented.
Doing this would cause the microphone of the person you are calling to turn on and you could listen through their microphone without them ever answering your call. Also, a brief amount of video is delivered if the person refuses the call, before the call disconnects.
After Apple disabled the Group FaceTime service, my attempts to exploit the flaw failed.
Clearly, this issue presents some very frightening scenarios. Apple disabled the Group FaceTime service on January 28. The bug appears to require the Group FaceTime service in order to function properly; therefore it’s likely that the flaw cannot be abused at the moment.
I’d offer caution to Apple users though. Apple has not stated that their disabling of the Group FaceTime service will stop the flaw. I suggest that you disable FaceTime on your iOS and macOS devices until Apple makes a formal statement about the product. Once Apple releases a patch or a formal statement about a remedy, enable Facetime again.
In the meantime, I suppose you’ll have to wait a bit longer to video chat with a couple dozen of your closest friends at the same time. Hopefully, you won’t be a victim of your iPhone becoming a hot mic and sharing all of your secrets; after all, we have other technology that’s far better at dispensing personal details.
William Greg Price is the Chief Technology and Security officer for Troy University and the Director of the Alabama Computer Forensics Institute. He currently represents District 2 on the Pike County Board of Education.