Over the last weekend a report of a serious privacy bug was found in Apple’s Group FaceTime service. The bug would allow someone to enable the microphone and camera on someone’s device.

The Issue

You can read the 9to5mac article for the steps on how this bug was activated. The short version is that if the person you are calling declined the call with the sleep/wake button, and you added your own phone onto the call again, you would be able to hear the original caller’s microphone and see their camera.

Apple is currently working on a fix. In the interim Apple has disabled Group FaceTime on the server-side, until a fix is released, which should be this week.

Security Implications

Imagine this scenario. A group of 3 people decides to have a FaceTime call. Person 1 calls Person 2. While the phone is ringing, Person 1 attempts to call Person 3, but accidentally clicks on their own contact information while scrolling.. Person 2 declines the FaceTime call accidentally, and the audio from Person 2’s is audible by Person 1.

I cannot emphasize enough how bad this bug is. Not just because of the fact that it should not have gotten through Quality Assurance (QA) and testing, but also because of Apple’s focus on privacy. In regards to getting through QA, using the sleep/wake button to dismiss a call is an extremely common action and adding another person to a Group FaceTime call is the entire point of Group FaceTime. To add on to this, despite announcing Group FaceTime was announced at the 2018 World Wide Developers Conference (World Wide Developer Conference, Apple delayed Group FaceTime due to bugs and issues. This one was obviously not noticed during testing.

You might think that this is a minor bug because you “have nothing to hide”. While that is all well and good for you, there are others that need privacy or are in sensitive situations where this can be abused. One example of this could be a domestic violence situation where an abuser can use this bug to be able to spy on someone. This would not be a good situation at all.

Another example could be a lawyer, who needs confidentiality of their clients. One last example is world leaders. If any of the world leaders, or their assistants, use and iPhone, they may have been able to use this bug to listen in. In other words, this is a really bad bug.

The fact that this bug got through is bad, but it is compounded because one of Apple’s core tenets is security and privacy. Any privacy bug is a problem for Apple because they make it a differentiator to other products on the market.

It is good to see that Apple has taken this seriously and has temporarily disabled Group FaceTime services. Even though this is bad, it is possible that Apple will make some internal changes to improve testing of their features for privacy bugs. 

Source: 9to5mac.com