On January 28th, a bug was discovered in the Apple FaceTime feature that allows a user to eavesdrop on FaceTime users via audio and video for a brief period.  The bug resides in the Group FaceTime feature and is trivial to exploit. Listening in to audio does not require interaction by the recipient while enabling video requires minimal interaction.

Apple has temporarily disabled Group FaceTime on the server side, and is planning to address the flaw in a software update for devices this week although no official date is available at this time [1]. Due to the risk of information loss and the trivial nature of exploitation, disabling FaceTime should be considered until the device software update has been released by Apple.

Since first publications Apple has released a security update to mitigate this issue.

What we’re doing about it

  • The eSentire Threat Intelligence Team is monitoring this issue for additional information

What you should do about it

  • As an added security measure, consider disabling FaceTime until the issue is fully addressed in an update
  • Apply the iOS 12.1.4 update

Additional information

Exploiting the bug requires three simple steps:

  1. Call the intended target on FaceTime
  2. While the call is dialing, press the Add Person option
  3. Invite yourself to the call through the Add Person option

These three steps initiate the call without waiting for the target to accept; allowing for audio eavesdropping. If the recipient presses the Power button or the Volume Down button, video is also sent to the caller [2].

References:

[1] https://www.cnn.com/2019/01/29/tech/facetime-bug-how-to-deactivate-scli-intl/index.html

[2] https://thehackernews.com/2019/01/apple-facetime-privacy-hack.html

[3] https://support.apple.com/en-us/HT209520

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.