Enterprise Mobility Management / BYOD , Governance & Risk Management , Privacy

Apple Rushes to Fix Serious FaceTime Eavesdropping Flaw

Callers Can Hear and See Recipients Before They Pick Up
Apple Rushes to Fix Serious FaceTime Eavesdropping Flaw
Apple has disabled Group FaceTime pending a fix for the eavesdropping flaw.

Apple has disabled Group FaceTime after reports emerged on Monday that the feature could be abused to eavesdrop on iPhone users.

See Also: ZTNA Buyer's Guide

"We're aware of this issue and we have identified a fix that will be released in a software update later this week," an Apple spokesman tells Information Security Media Group.

Apple's system status page says that Group FaceTime, as of 3:16 a.m. British Time, remains "temporarily unavailable" due to an "issue."

The technology giant's move follows an exploit for the flaw going viral via social media and Reddit on Monday after a proof-of-concept demonstration video was posted.

As 9to5mac has reported, exploiting the flaw involves a caller contacting someone via FaceTime, and while the call is dialing, swiping up to "Add Person" to the call, and then entering the caller's phone number.

"You will then start a Group FaceTime call including yourself and the audio of the person you originally called, even if they haven't accepted the call yet," 9to5mac reports. Exploit variations have also been found. For example, press the power button on the lock screen, and that allows a caller to see a recipient's video feed as well as hear audio, it says. A recipient, however, will be unaware, only seeing on their screen the ability to either accept or decline the incoming voice or video call.

Chris Pierson, CEO of concierge cybersecurity firm BlackCloak, tells ISMG that his company's cybersecurity team has also confirmed that the flaw provides third-party access to a targeted iPhone or iPad microphone and video camera feed.

"This means unfettered access to whoever is in listening or visual range of the device - from boardrooms, private offices, financial institutions and our bedrooms it is possible to gain access to this private information," Pierson says.

NSA Warning: 'Turn Off FaceTime'

News of the flaw led social media moguls and offensive hacking experts alike to urge iPhone users to take action.

Making a FaceTime call

"Disable FaceTime for now until Apple fixes," Twitter CEO Jack Dorsey tweeted.

"iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off," tweets Rob Joyce, the National Security Agency's senior adviser for cybersecurity strategy to the director

Pierson says that anyone who deals with sensitive information should heed these warnings posthaste.

"Individuals who deal with sensitive financial data, government secrets, healthcare data or intellectual property, as well as top corporate executives and board members, should take head and immediately disable FaceTime on all of their devices until a patch has been implemented," Pierson says. "This is a critical watershed event in potentially allowing the unfettered access to all Apple products' cameras and microphones and a huge miss by the company."

But Apple has earned plaudits for responding quickly - and by disabling Group FaceTime altogether pending a fix, apparently forcefully reacting to the privacy problem.

"Good response by Apple for quite possibly one of the most significant privacy/security bugs the company has had to deal with in recent years (if not ever?): remote hotmic," tweeted privacy expert Ashkan Soltani, who previously served as the CTO for the Federal Trade Commission.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.