Group FaceTime flaw allowed users to eavesdrop on conversations

A major flaw in Group FaceTime was discovered which allowed users to listen to the other person, before they even accept the call. The issue was replicated on iOS (iPhone and iPad) as well as Mac. As expected, news about the issue spread like wildfire on news, even making it to mainstream media. Apple responded by saying that they will be releasing software updates to fix the vulnerability. The company temporarily disabled Group FaceTime for all users, presumably via a server kill-switch, to ensure that users do not exploit the issue. Along with the news of this issue, a family came into attention which had reported the problem to Apple, before it hit the news. Even politicians have jumped in on the news and written to Apple, sharing their concerns

FaceTime Bug

Here are all the details of the FaceTime bug and the news around it.

Origins of the FaceTime bug

The issue was first reported by 9to5mac, after some chatter on social media surfaced. A Reddit thread highlighted the issue on r/iphone:

Friend just “hacked” my phone from r/iphone

Some tweets also went viral:

As it turned out, the issue was easily replicable by following these steps:

  • Start a FaceTime call
  • Swipe up from the bottom of the screen and tap on Add Person
  • Select your own FaceTime enabled phone number or email address
  • Once the Group FaceTime call starts, audio from the other person is transmitted, without them even accepting the call

These steps could be replicated on both iOS 12.1.3 and macOS 10.14.3 and their prior versions.

Some users reported that even FaceTime video calls could be initiated through this bug, allowing video transmission without the recipient even knowing about it.

Apple’s response

Apple’s initial response to this issue was a statement to BuzzFeed that they will release a software update within the week. This was on February 1. A week has passed and Apple has not released any software updates for iOS and macOS to resolve this issue.

As a temporary fix, Apple disabled Group FaceTime from their servers so that users cannot further exploit the issue. Apple’s system status page still says that the feature is temporarily unavailable.

Expect Apple to release iOS 12.1.4 and macOS 10.14.4 to fix this issue and re-enable Group FaceTime.

The teenager who reported the bug

Further twists in this story came in the form of a mother and her teenage son, who had attempted to report the issue to Apple in January. The first tweet can be traced back to January 21, which mentions that the mother submitted a bug report to Apple and was waiting to hear back from the company.

This was the email sent by the mother:

This was the video created by the family to show the bug:

The issue was accidentally discovered by the 14-year old teenager when trying to setup a Group FaceTime call when playing Fortnite. This news meant that Apple could have fixed this issue earlier, had they paid attention to the bug report. However, for huge company like Apple, which possibly receives hundreds, if not thousands, of bug reports daily, things are not as simple as they seem.

FaceTime bug lawsuit

Of course, opportunists are everywhere who jump to capitalize on such news and situations. As per Bloomberg, a lawyer sued Apple over this FaceTime bug, claiming that he was eavesdropped on during a client deposition:

Attorney Larry Williams II said the glitch intrudes on the privacy of “one’s most intimate conversations without consent,” according to the complaint he filed in state court in Houston. He said he was eavesdropped on while taking sworn testimony during a client deposition.

Make of that what you will but it’s really difficult to believe this claim, let alone prove that it happened.

Apple acknowledges teenager bug report and possible bounty

Apple shared a statement with CNBC, where they acknowledged the bug report and thanked the family for reporting the issue.

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

According to CNBC, an Apple executive met the Grant Thompson, the 14-year old teenager who discovered the bug.
She said a high-level Apple executive flew to Tucson, Arizona, on Friday afternoon to meet with Grant. The executive, whom she declined to name, “thanked us in person and also asked for our feedback, asked us how they could improve their reporting process.”
The executive also hinted that Grant would be eligible for a reward under Apple’s bug bounty program.

US Government’s Letter to Apple

Considering that eavesdropping on calls is a major issue, the House Committee on Energy & Commerce of United States has sent a letter to Apple asking questions on the bug. They have also issued a statement:

“While these are wonderful tools when used right, the serious privacy issue with Group FaceTime demonstrates how these devices can also become the ultimate spying machines.  That is why it is critical that companies like Apple are held to the highest standards,” Pallone and Schakowsky wrote to Cook.  “Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers.”

So far, Apple has not responded to the letter publicly.

At the time of writing, an update for iOS and macOS is yet to be rolled out which should fix Group FaceTime. Until then, the feature will stay disabled.