New FaceTime Bug Allows Audio, Video Eavesdropping
Sivan Nir Feb 1, 2019
A newly announced FaceTime bug that allows callers to hear live audio or see through the camera on the recipient end still awaits a fix from Apple at the time of this post.
Timeline of the FaceTime Bug
Sometime before January 20, Grant Thompson — a fourteen-year-old in Tucson, Arizona — accidentally discovered the FaceTime bug. His mother, Michele, took on the fun task of figuring out how to officially report a bug to Apple. She registered with Apple Support as a developer which she, admittedly, is not, and attempted to notify the the tech giant via email, phone calls and even fax but received no response.
By January 23, the mother-son Thompson duo had sent a proof of concept video to Apple to show how the bug played out.
Other exploit videos made the rounds on social media by January 28. That same day, news and blogs started paying attention, and the flaw was confirmed by Apple with a one-liner in a BuzzFeed that stood as their sole public response at the time.
The next day, on January 29, Grant was busy sorting through interview opportunities, judging the volume of requests appearing in his Twitter feed. Also on the 29th, Apple disabled Group FaceTime that enabled video components of the flaw and left and oblique reference to the issue on the System Status page.
Looking ahead, Apple has said a fix to the FaceTime bug won’t be available until the week of February 3.
What is the FaceTime Bug?
While most of the media attention has been around the bug in iPhones, The Register has reported Macs are vulnerable as well.
In technical terms, the FaceTime bug is an information disclosure vulnerability affecting iOS versions 12.1/2 and MacOS X version 10.14 (see full details at Skybox Vulnerability Center under SBV 97617 and SBV 97618).
The vulnerability allows recipient’s audio from their microphone to be automatically transmitted to the recipient. Essentially, this lets the caller eavesdrop on whatever’s happening near the device before the call is accepted or declined. If the recipient hits the power button or volume controls while receiving, the feed from the front-facing camera will also be transmitted to the caller.
In order for the flaw to “work,” both parties need to have the FaceTime application installed and have the Group FaceTime feature enabled. The recipient’s device also can’t be in Do Not Distrub mode. It’s pretty trivial to reproduce, if you want to see for yourself.
To avoid the vulnerability, disable the GroupFaceTime feature or FaceTime application entirely; though some security professionals are wary without confirmation from Apple that either stop-gap measure will fully fix the privacy issue.
- New FaceTime Bug Latest Chapter in Disclosure Story
The most recent FaceTime bug is not the applications first foray with unauthorized information disclosure.
Two other issues were discovered back in fall 2018. One issue (SBV-94752) also in the Group FaceTime feature allowed a bypass of an iPhone’s lock screen to access contacts, and another slightly more convoluted one using the VoiceOver feature allowed access to photos as well. Both vulnerabilities required physical access to the device to exploit; this is in contrast to the January flaw, which only requires certain conditions on the victim’s device that are default for iOS 12 and can be exploited via a phone call.
Stretching back even further, in 2016 a remote eavesdropping bug in the Call Relay feature could allow an attacker to make a call appear terminated, yet allow the audio transmission to continue (SBV-65518). And way back in 2010, a vulnerability could allow man-in-the-middle attackers to redirect calls (SBV-47795).
Following this FaceTime information disclosure story back in time, one may observe these exploits are getting more serious — and easier to implement — over time.
Android API Vulnerability Exposes Sensitive Customer Information: Attackers could use the Android API vulnerability to physically locate a user, track their online activity or target them with ads
Terdot Resurrects Zeus Banking Trojan, Bigger and Badder Than Before: Terdot builds on Zeus’ source code to do more than steal banking credentials, including eavesdrop on social media and email activity