Apple has fixed a bug that allowed people to secretly listen and watch you via FaceTime, and apologised for the delay. The company has also reactivated group FaceTime, a feature which was turned off while it dealt with the issue.
What was the FaceTime bug?
The flaw was discovered by 14-year-old Grant Thompson (Apple says Daven Morris of Arlington, Texas, spotted it too) and reported to Apple on 19 Jan 2019. Thompson realised that a user could set up a group FaceTime call that enabled them to both see and hear a recipient without them answering the call.
It was possible for a FaceTime caller to call a contact and, before they answered, add themselves as an additional participant. The other caller would see an alert inviting them to the call, but even while the call was ringing the microphone would be switched on so the caller could hear them - even if the phone was locked.
Should the recipient choose not to join the call, they might press the power button on the side of the phone to reject it, or toggle the volume controls to turn the sound down. However, in so doing the camera would switch on. The recipient wouldn't be aware of this as it would still look like the call was incoming and unanswered.
The caller could then listen in (and watch) for as long as the phone is ringing.
The video in the tweet below shows the FaceTime flaw in action:
How did Apple respond to the FaceTime bug?
Apple initially addressed the issue on Monday 28 Jan, nine days after the report, by suspending the group FaceTime feature. It then issued a statement apologising for the bug on 2 Feb.
"We sincerely apologise to our customers who were affected and all who were concerned about this security issue," said the company. "We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix."
On 7 Feb Apple released that fix, which is contained in the iOS 12.1.4 update. It also released a new statement:
"Today's software update fixes the security bug in Group FaceTime. We again apologise to our customers and we thank them for their patience.
"In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.
"To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."
How can I protect my iPhone, iPad or Mac from the FaceTime bug?
Note that only iPhones and iPads running iOS 12.1 or later, and Macs running macOS Mojave or later, were affected by the bug, because it required FaceTime's group calls feature. Older devices should therefore be safe.
What caused the delay?
That isn't clear. The company has thanked the Thompson family for reporting the bug (it is understood they will receive a reward and educational support), but they reportedly found it difficult to do so. "Thompson, along with his mother, Michele, tried to report the bug to Apple but said they struggled to get the company's attention until the problem gained traction on social media," said Reuters.
In an interview with the Associated Press, mother Michele Thompson said: "There needs to be a better process for the average citizen to report things like this. And a timelier response."
As part of its statement on the matter, Apple said: "We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible."
Apple is facing multiple lawsuits relating to the FaceTime group calls security issue.
Is FaceTime private and secure?
Generally, issues with Group FaceTime aside, FaceTime should be private and secure.
Apple uses end-to-end encryption to protect the data as it travels between the two phones, so it's not possible for someone to hack into your call (unless they exploit the bug mentioned above - and even then they can only listen in prior to your answering the call, they can't listen to a call that is already taking place).
Nor are the calls recorded or stored on Apple's servers, so even government agencies would not be able to gain access to them.
You should always make sure you are using a secure network. Beware of free Wi-Fi that you might find in hotels, restaurants and in airports - even if the business whose Wi-Fi you are using is legitimate, someone in the area could be advertising an unsafe network.
Obviously the safety of using FaceTime depends entirely on who you are calling and their motives. They could record the call, or take screenshots, and use them maliciously.
How to turn off FaceTime
If you're concerned about your privacy you can turn off FaceTime on your Apple device by following these steps:
- Open Settings
- Scroll down to FaceTime and tap on it.
- Now tap on the toggle beside FaceTime to switch it off (once turned off the toggle will be white).