Group FaceTime chats allowed people to eavesdrop on whoever they called, a bug so severe that Apple disabled the feature until it could fix it.
IT’S OFTEN DIFFICULT TO DETERMINE HOW SERIOUSLY TO TAKE NEW VULNERABILITY REPORTS. The jargon is incomprehensible, and the skills required to carry out the attacks are only possessed by highly skilled professionals. However, there is no ambiguity in a bug affecting Apple’s FaceTime chat. How bad is it? Rather than risk exposing people to it, Apple disabled FaceTime group chats entirely.
Unlike other high-profile gaffes, what makes this bug so concerning isn’t the breadth of information that could be obtained by exploiting it. It does not grant hackers access to your emails or banking details. Instead, it allows a FaceTime caller to hear what’s going on at the other end of the line before the recipient answers the phone. They could also trigger a video feed with a few extra steps.
A 14-year-old in Arizona discovered the vulnerability when he discovered he could eavesdrop on his friends when setting up a chat for a round of Fortnite. He informed his mother, who notified Apple on January 20 and received no response to various inquiries for more than a week.
The exploit was also relatively easy to execute. To activate the illicit audio, someone simply started a normal FaceTime call, then quickly added their number as a third person in a group chat. If the person you were calling pressed the power button from their iOS lock screen, both video and audio would have been transmitted. The bug was discovered by Apple-focused news site 9to5Mac on Monday.
The implications are obvious. While it is not the type of high-wire attack that a nation-state would attempt to steal intel secrets, it has serious personal consequences. Even eavesdropping for a few seconds on an unguarded moment, especially when the target is deciding whether to pick up your call, is an unacceptable invasion of privacy.
“We’re aware of the problem, and we’ve identified a solution that will be released in a software update later this week,” Apple said in a statement.
Rather than waiting for that fix, as is customary, Apple took the extra step of shutting down group FaceTime chats entirely in the meantime. It appears to be the first time the company has taken such drastic measures to address a software problem. The combination of high stakes and low barriers appears to have made it unprofitable.
In 2017, Apple had a rough year of security blunders, including a macOS High Sierra bug that allowed anyone to gain root access to a Mac by simply entering the password “root.” Apple, on the other hand, regrouped last year, focusing on stability improvements rather than flashy new features, a gamble that appears to have paid off.
Group FaceTime chats, which were introduced last year as well, have not gone as well. Last fall, security researcher Jose Rodriguez exploited a flaw in the new function to bypass the iOS lock screen and view an individual’s entire address book. The two issues appear unrelated, but they highlight Apple’s ongoing need to rigorously vet new software releases.
“We haven’t had the time to dig in and reverse-engineer the root cause of this bug yet, but there is no specific or special reason this would occur,” says Will Strafach, president of Sudo Security Group and an iOS security researcher. “It appears to be an unfortunate chain of bad programming logic coded into the process for handling group FaceTime.”
What is the most important thing you can do right now? Nothing because Apple has already canceled the issue. However, install that software update as soon as it becomes available, whenever that may be. There are other group chat apps to tide you over in the meantime. Take this whole ordeal as a not-so-gentle reminder that your smartphone has a microphone and a camera, as does your computer, and it’s probably not a good idea to trust all of them implicitly.
Lauren Goode contributed reporting.
Will Strafach’s comment has been added to this story.
