The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Apple Disables Group Facetime Following Eavesdrop Bug

by Chris Brook on Tuesday January 29, 2019

Contact Us
Free Demo
Chat

The bug, which quickly went viral Monday night, affected Apple's group FaceTime feature and allowed iOS users to eavesdrop on other iOS users.

Apple says it plans to remedy a nasty FaceTime bug that allowed iPhone owners to spy on other iPhone users later this week. Until then the company has disabled the culprit behind the bug, FaceTime's group chat feature, to minimize the damage for users.

Apple acknowledged there was an issue with FaceTime Monday night, at 10:16 p.m., with an update to its system status page: "Group FaceTime is temporarily unavailable."

The issue appears to be connected to a logic flaw in the way iOS handles group calls. While not currently reproducible, the bug essentially tricked a user's phone into thinking a group call is ongoing. Once the original caller on a FaceTime call calls a user and adds themselves to a group chat, they can hear audio - and in some instances see video - from the recipient's phone, even if they haven't answered the call.

As news of the bug went viral, across Twitter and Reddit Monday night, iOS users found that if they pressed the power button or the volume down button during a group chat with an unsuspecting user they could see video from the other user - again, even if they didn't agree to the call.

While group FaceTime remains unavailable, Apple says it plans a proper fix sometime later this week.

“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” an Apple spokesperson said.

Even Rob Joyce, special assistant to the President and cybersecurity coordinator at the White House, warned of the issue late Monday, urging users to disable FaceTime until Apple pushed a patch.

The bug was reportedly found eight days ago by a 14-year-old amateur security researcher, it just wasn't reported to the Apple's reporting channel for security bugs, it was reported to Apple's Support team.

Apple fan site 9to5mac.com, one of the first publications to warn of the bug, shortly after 6 p.m. EST on Monday, said it believed the issue affected any pair of iOS devices, as long as they're running iOS 12.1 or later.

It's probably safe to say the bug was recently - at some point in the last several months - introduced to iOS. Natalie Silvanovich, a researcher with Google's Project Zero, outlined last month how she fuzzed FaceTime calls on iOS and Mac machines. Her work produced three vulnerabilities in FaceTime, an out-of-bounds read, a stack corruption vulnerability, and a kernel heap corruption issue, all of which were fixed in iOS 12.1, released on October 30.

Apple just released an update for iOS 12 - iOS 12.1.3 - last week but it appears it won't be the last the company pushes this month.

Tags: Apple, Mobile Security

RECOMMENDED RESOURCES


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Find out why Digital Guardian has been named a “Leader” for 5 years in a row
  • Gartner’s yearly analysis of DLP vendors
  • DLP use cases and technology requirements

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.