Monday, 28 January 2019

Apple bug lets others eavesdrop on Facetime video and audio before you pick up

Apple iOS users are vulnerable to a bug revealed on Monday that allows malicious third parties to listen in on others' FaceTime video chats.

Apple says the issue will be addressed in a software update “later this week”.

This is big.

Turn off FaceTime until Apple releases a fix, and you've updated.

HERE IS HOW: Go to Settings, search for “FaceTime,” toggle the switch off (it'll go from green to grey).

The bug lets one user call another user on FaceTime, and automatically begin hearing the other person before they pick up the Facetime call.

The person being called on FaceTime isn't made aware by the software that the other party can listen in.

The bug was discussed on social media and first published by 9to5Mac.com, then confirmed by Bloomberg News and others.

It happens when a Facetime user creates a FaceTime conference call, adds in their phone number, and then adds the phone number of another person.

From 9to5Mac:

Update: There’s a second part to this which can expose video too …

9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.

Here’s how to do the iPhone FaceTime bug:

Start a FaceTime Video call with an iPhone contact.

Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.

Add your own phone number in the Add Person screen.

You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.

It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the lockscreen.

The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.

As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.

What we have also found is that if the person presses the Power button from the lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.)

[Thanks, Gina]