Update, February 7. 2019 (2:22PM EST): Apple released iOS 12.1.4 earlier today, reported Neowin. The update fixes the Group FaceTime bug that Apple temporarily fixed by taking Group FaceTime offline.
The update also fixes a Live Photos flaw discovered in FaceTime’s security audit and includes a few other security fixes. On a related note, Apple also released a supplemental update for macOS 10.14.3 that also addresses the Group FaceTime bug.
You must download the update if you want to use Group FaceTime. The same goes for iOS 12.2 beta users, who don’t yet have the fix.
If you have an iOS device, go to Settings > General > Software Update to download and install the update.
Original article, January 29, 2019 (8:33AM EST): An Apple FaceTime bug has been discovered allowing users to hear the person they are calling before they accept or decline the call. The problem, picked up by 9to5Mac, can seemingly affect anyone with iOS 12.1 or later.
You can exploit the bug by starting a FaceTime video call with a contact. While this call is ongoing, you can add yourself to the call — using your own number — to begin a group call.
From then until the receiver rejects the call, their handset’s microphone is activated and audio is transmitted (as if they had answered it). However, their phone screen stills show the call is incoming, rather than connected. 9to5Mac and others have also reported methods for activating the receiver’s video since the initial exploit was discovered.
— Benji Mobb™ (@BmManski) January 28, 2019
Apple is aware of the issue and has taken Group FaceTime offline while it addresses it. The company also said the bug would be fixed in a software update this week.
How big is the problem?
Despite Apple’s swift response, the existence of the bug itself is alarming and could have had severe consequences.
As many people now silence their phones while at work or even at home because of so many notifications, a person could have used this exploit dozens of times to listen in to whole conversations without the receiver ever knowing. Thankfully, group FaceTime only officially launched last October with iOS 12.1, so it hasn’t had much time to be used in a wrongful manner (if anybody was even aware of it prior to yesterday).
What could be worse than the damage it caused to users is the damage it has on Apple’s image. Only earlier this month during CES 2019, Apple produced adverts touting its user privacy strengths, while it was only yesterday that CEO Tim Cook talked up “action and reform for vital privacy protections.”
Apple never shows up at CES, so I can’t say I saw this coming. pic.twitter.com/8jjiBSEu7z
— Chris Velazco (@chrisvelazco) January 4, 2019
The company has long-since held its own privacy and security over other hardware manufacturers. In its iOS 12.1 security document from last November, Apple called iOS “a major leap forward in security for mobile devices.” Meanwhile, in an iOS security overview document from last year, the company stated, “Only Apple can provide this comprehensive approach to security, because we create products with integrated hardware, software, and services.” Based on this recent FaceTime incident, it seems the system isn’t as secure as Apple would have us all believe.
We must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.
— Tim Cook (@tim_cook) January 28, 2019
That’s not to say that Apple is any worse than its competitors. Privacy-related incidents are a common occurrence in an industry that increasingly relies on always-listening services to provide virtual assistant experiences. Two examples include Google having to disable the hardware button on the Home Mini in order to stop it from recording everything and Amazon Echo recording and sending a couple’s private conversations to a third user.
That said, this FaceTime incident is a serious blow to Apple’s carefully constructed image of the champion of privacy. After all, if users can’t trust a relatively simple service like FaceTime to protect their privacy, why would they buy into Apple’s greater narrative that it puts privacy above all else?
If you have concerns about FaceTime, you can disable FaceTime in iOS Settings until Apple issues a fix.