The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
The bug, which quickly went viral Monday night, affected Apple's group FaceTime feature and allowed iOS users to eavesdrop on other iOS users.
Apple says it plans to remedy a nasty FaceTime bug that allowed iPhone owners to spy on other iPhone users later this week. Until then the company has disabled the culprit behind the bug, FaceTime's group chat feature, to minimize the damage for users.
Apple acknowledged there was an issue with FaceTime Monday night, at 10:16 p.m., with an update to its system status page: "Group FaceTime is temporarily unavailable."
The issue appears to be connected to a logic flaw in the way iOS handles group calls. While not currently reproducible, the bug essentially tricked a user's phone into thinking a group call is ongoing. Once the original caller on a FaceTime call calls a user and adds themselves to a group chat, they can hear audio - and in some instances see video - from the recipient's phone, even if they haven't answered the call.
As news of the bug went viral, across Twitter and Reddit Monday night, iOS users found that if they pressed the power button or the volume down button during a group chat with an unsuspecting user they could see video from the other user - again, even if they didn't agree to the call.
While group FaceTime remains unavailable, Apple says it plans a proper fix sometime later this week.
“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” an Apple spokesperson said.
Even Rob Joyce, special assistant to the President and cybersecurity coordinator at the White House, warned of the issue late Monday, urging users to disable FaceTime until Apple pushed a patch.
iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off. https://t.co/hIRukshaTE
— Rob Joyce (@RGB_Lights) January 29, 2019
The bug was reportedly found eight days ago by a 14-year-old amateur security researcher, it just wasn't reported to the Apple's reporting channel for security bugs, it was reported to Apple's Support team.
My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews
— MGT7 (@MGT7500) January 21, 2019
Apple fan site 9to5mac.com, one of the first publications to warn of the bug, shortly after 6 p.m. EST on Monday, said it believed the issue affected any pair of iOS devices, as long as they're running iOS 12.1 or later.
It's probably safe to say the bug was recently - at some point in the last several months - introduced to iOS. Natalie Silvanovich, a researcher with Google's Project Zero, outlined last month how she fuzzed FaceTime calls on iOS and Mac machines. Her work produced three vulnerabilities in FaceTime, an out-of-bounds read, a stack corruption vulnerability, and a kernel heap corruption issue, all of which were fixed in iOS 12.1, released on October 30.
Apple just released an update for iOS 12 - iOS 12.1.3 - last week but it appears it won't be the last the company pushes this month.