Apple has taken its relatively new Group FaceTime feature offline following the discovery of a serious privacy bug that could allow a caller to hear and see FaceTime audio and video from the recipient of a call, even before the person acknowledges or answers the FaceTime call.
First reported by 9to5Mac, the bug can be exploited by a caller adding themselves as a second party to a Group FaceTime call while the first call to the original party is still ringing. The result is that a Group FaceTime chat session will begin immediately, including the audio from the person that hasn’t yet answered the call. While only audio is initially sent, there are several ways in which the video feed can be eavesdropped on as well, including the original caller joining the conversation from a second iPhone, iPad, or Mac, or the person receiving the call pressing one of the side buttons on their iPhone.
To make matters worse, the called party receives no indication that a FaceTime call has begun, or that their iPhone is now actively sending audio and video — the iPhone receiving the call simply continues to ring as if it hasn’t yet been answered.
This of course creates a huge privacy hole, and while the issue remains present even in the current iOS 12.2 beta, Apple has promised that a fix is on the way — in a statement to BuzzFeed News, an Apple spokesperson said the company is “aware of this issue and we have identified a fix that will be released in a software update later this week.” In the meantime, as of 10:16 p.m. last night, Apple has taken the Group FaceTime feature offline on its servers in order to avoid any potential problems.
Since the bug only affects Group FaceTime calls, this should be enough to prevent any issues until such time as Apple releases a more permanent fix to the problem, which will likely come in the form of an iOS 12.1.4 update.
We were able to independently test the flaw prior to Apple shutting down Group FaceTime, confirming that it’s present in iOS 12.1.2, 12.1.3, and the initial 12.2 beta, and while it very likely exists between all models of iPhones capable of running those iOS versions (iOS 12.1 is the minimum version required to participate in Group FaceTime calls), we were able to specifically reproduce it on an iPhone XR, iPhone X, iPhone 8 Plus, and sixth-generation iPad, all running a mixture of the above iOS versions. As described in other posts, call audio came through immediately from the other party, and video came through after the user pressed any of the side buttons on their iPhone — something that would be an intuitive response for a user attempting to turn down or decline a FaceTime call. However, video and audio ceased being transmitted once a user explicitly declined the incoming FaceTime call (a single press of the side button will mute the ringer, and begin transmitting video, while a second press declines the call entirely). We were also able to reproduce the problem when calling a Mac, suggesting that Apple will also need to release a macOS software update later this week as well.
Since Group FaceTime has been disabled on Apple’s end, however, it no longer seems possible to exploit the bug. Attempts to add a second person to a Group FaceTime call may show odd behaviour while the back-end service is disabled — several times the originating iPhone or iPad showed “Connecting…” as if the call was going to start like it did before Group FaceTime was shut down, but the call itself failed almost immediately on the receiving device without transmitting any audio or video. Still, it would be prudent to be cautious about incoming FaceTime calls from untrusted parties until such time as Apple confirms that the bug has been completely fixed.