A shocking and easily exploitable FaceTime bug allows people to listen in on other users of Apple devices by simply calling them through the service.
The bug apparently affects Group FaceTime and Apple has reacted by making the service unavailable until they can push out a fix.
Exploitation of the FaceTime bug
The bug was first reported by 9to5Mac and then replicated and confirmed by others.
The gist of it is this: it allows the caller to turn the target’s device’s microphone on and hear what’s happening around it before the person answers the call.
The exploit chain is simple: the callers starts a FaceTime Video call with an iPhone contact and, while the phone is ringing, he swipes up from the bottom of the screen and taps Add Person.
The caller then adds their own phone number in the Add Person screen and this starts a group FaceTime call with all those participants, even if the person he calls has not accepted the call.
— Benji Mobb™ (@BmManski) January 28, 2019
What’s even worse, if that person dismisses the call by pressing the Power or Volume button from the lock screen, the caller will also see what the target’s device “sees”.
So, technically, if the person just mutes the ringing and the caller keeps it ringing, he or she can listen in on the conversations around it.
What to do?
It is believed that this bug affects any Apple iPhone, iPad or Mac that can run FaceTime.
“Technology bugs occur far more often than the average user may think. Luckily Apple is usually quick to adapt and patch up the flaws. However, we do not know how long this bug has been around for and if it has been taken advantage of by cybercriminals who exploit these vulnerabilities,” Jake Moore, cyber security expert at ESET UK, commented for Help Net Security.
Mac and iOS users are advised to temporarily disable the FaceTime option (via Settings on iOS, via the app’s Preferences on Mac) until Apple comes up with a fix, which they promised to do later this week.