Apple has disabled Group FaceTime following discovery of a flaw that could potentially let people hear audio from other people’s devices without permission. What’s going on and what can you do about it?
The Group FaceTime bug, in brief
A 9to5Mac report based on a video published to Twitter by @BmManski that revealed this flaw lets a user listen to audio captured using another person’s device before they accept or reject the call requesting a FaceTime chat. The problem affects only iOS devices running iOS 12.1 or later (pending an update).
What Apple said
In a statement, Apple said it is “Aware of this issue… we have identified a fix that will be released in a software update later this week.”
How the Group FaceTime bug works
- Start a FaceTime Video call with an iPhone contact.
- While the call is dialling, swipe up and tap Add Person.
- Add your own number in the subsequent screen.
- You will enter a Group FaceTime call, which will feature audio captured by the device belonging to the person you have called, even if they haven’t accepted the call (ie. their iPhone is still ringing).
It appears video captured by the iPhone’s front-facing camera can also be picked up, but only if the person you are contacting taps the Power button on the LockScreen.
How to prevent the Group FaceTime bug
Apple has effectively disabled the bug by switching off its Group FaceTime service pending a software patch. Meanwhile users who are concerned about the problem may want to disable FaceTime on their devices.
- Disable on iOS: System Settings>FaceTime> Toggle to off.
- Disable on Mac: Open FaceTime and Turn FaceTime Off in the menu.
It is important to note that no one has claimed this fault impacts Macs.
What is Apple doing to fix the Group FaceTime problem?
Apple says it will publish a software update to address this bug in the next few days. It has disabled Group FaceTime pending that fix, which is expected to appear later this week.
Should we panic?
No. This minor bug will be quashed quickly. It also seems important to note that the audio/video remains available for only a short time while the recipient device rings. The feed stops once the call is rejected.
The big picture is a little more complex.
The existence of a flaw like this one does nothing to dilute the arguments of many privacy advocates who believe users should take tight control of any applications that attempts to use the built-in cameras, microphones, and other functions of the systems that they use.
Get to know your Privacy Settings
To review the apps that use your microphone and camera, you should open the Privacy section in Settings>Privacy where you can review which apps are demanding access to the following software and device features:
- Location Services
- Bluetooth Sharing
- Speech Recognition
- Media & Apple Music
- Motion & Fitness
It is a good idea to review all of these to ensure that only apps and services you trust can access this information. There are still some apps that (for example) demand access to your Contacts even though they seem to have little need to have that data.
On a case-by-case basis, you should decide which apps you trust less and disable access for them. Doing so may impact the functionality of an app (so replace it), but it also reduces your potential attack surface.
I choose to provide very little access to most social media services and refuse to access Facebook except using Apple’s Safari browser, in part because the app is an energy hog.
What I think
While I see no reason for any great panic about this particular bug, I do think it illustrates a real need to ensure users are given clear visual indicators whenever an app is using their camera or mic, covertly or overtly.
I’d urge platform providers Apple, Google, and Microsoft to ensure this becomes a mandatory feature across all their operating systems in an attempt to help prevent covert or overt surveillance of this type. Such an indication would also provide customers with a small degree of reassurance.
Please follow me on Twitter, and join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.