The flaw allows FaceTime callers to listen in on recipients’ devices, whether the call is accepted or not
Apple has disabled the group chat function in its FaceTime conferencing tool after a serious privacy flaw was uncovered that allowed users to activate microphones and listen in on remote devices.
In some cases the bug also activates cameras and transmits video to callers, unknown to users.
Apple said it is developing a fix, which it plans to distribute this week in iOS version 12.2, but it’s unclear how the company can protect the many iPhone users who rarely or never update their devices’ software.
The 9to5Mac blog first reported that the bug occurs when both users are running version 12.1 of iOS, or newer, as well as Mac users who receive FaceTime group calls from an iOS device.
According to intial reports, users discovered that they could enable FaceTime’s group chat feature whilst a call was dialling, in such a way that they would immediately begin to receive audio through the recipient’s microphone as the device rang, before the call was received.
Users also reported that if the recipient presses the iPhone’s power button from the lock screen while the call is ringing – an action typically used to trigger a dialogue box to accept or reject a call – their device also begins transmitting video to the caller.
Throughout these actions, there is no indication on the receiver’s end that they are transmitting audio or video, with the device merely ringing as if a normal call were coming through.
Apple said in a statement: “We’re aware of this issue and we have identified a fix that will be released in a software update later this week.”
Social media users suggested disabling FaceTime entirely until a fix is available, an action that can be carried out via the device’s Settings menu.
“The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk,” said New York City mayor Andrew Cuomo. “I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes.”
Former US Federal Trade Commission chief technology officer Ashkan Soltani called the issue “quite possibly one of the most significant privacy/security bugs the company has had to deal with in recent years (if not ever?)”, and praised Apple for quickly disabling Group FaceTime.
Embarrassingly for Apple, the bug surfaced on National Privacy Day, a global event instituted by the Council of Europe in 2007.
Only hours before the flaw came to light, Apple chief executive Tim Cook said via Twitter: “Let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.”
Apple has seized upon privacy as a way of distinguishing itself from rivals such as Google and Facebook, and mounted a billboard at the CES conference in Las Vegas earlier this month that read: “What happens on your iPhone, stays on your iPhone.”
The timing of the bug’s disclosure also coincided with the company’s latest earnings report on Tuesday.