A major security flaw let iOS users make calls and eavesdrop into other iPhone users’ conversations, even when calls were not picked up. The allowed malicious users access to microphones and temporary camera access. After the discovery of Apple temporarily made Group FaceTime unavailable.
According to Apple’s system status support page, Group FaceTime has been temporarily unavailable since late Monday evening around 10PM. Group FaceTime was a new feature of iOS 12.1. Apple quietly took down the service and did not give a timeline for when the service will made available again. However, they have said that they are planning to release a software update later this week.
The exploit was present in both iPhone and Mac devices running iOS 12.1.
First reports of the malicious glitch appeared on social media sites like Twitter and Reddit.
A Reddit user posted the following:
“Friend just “hacked” my phone….He has an iPhone so do I. I was minding my own business when I heard him calling out my name. No idea where it was coming from when I realized it was coming from my phone so I figured no big deal, probably butt dialed him. Nope. He was facetiming me and I had the Accept Facetime screen but he could hear me and I could hear him. I didn’t have to accept or anything. He states he can do it to anybody. Anyone know what this is?”
The flaw first works when a user make a FaceTime call to another person using iOS. As the call begins to dial, the user swipes up from the bottom and an option comes up saying ‘Add Person’. The user then clicks this option to add their own phone number. This allows the FaceTime call to go through and audio begins coming through without the person accepting the call. Video feed can also begin if the user press the power button from the lock screen.
There are major privacy and security concerns with this flaw, as any malicious person can begin listening into private conversations without them ever knowing.
Governor Andrew Cuomo released a consumer alert to all New Yorkers about the major bug saying
“The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk……I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes.”
It is important for all users to disable their FaceTime until the software update is released by going to Settings>Facetime and then switching the button from on to off.
If you believe you or your organization has experienced an incident contact LIFARS