NOTICE: FaceTime bug

Tuesday, January 29, 2019

2/8/19 update: Apple has released an update that addresses the FaceTime bug. See Apple rolls out fix for FaceTime eavesdropping bug (CNN Business, 2/7/19).

1/29/19: This information was sent to the IT Security Community and Frontline Notify groups via email on January 29, 2019.

Summary

Apple has removed the Group FaceTime feature from its FaceTime app while it works to fix a bug that allowed for eavesdropping of calls. The bug allowed a caller to listen to call audio even when the person they were calling had not yet answered. FaceTime users should watch for an update and apply it as soon as it is available.

Problem

A bug discovered yesterday in Apple's FaceTime app allowed a person to eavesdrop when initiating a group call. By starting a FaceTime call with an iPhone contact and then immediately adding their own phone number to the call, a person could trick FaceTime into starting the group call and activating the call recipient's audio without them answering the call. If the call recipient pressed the power or volume button, their device would also broadcast video.

Threats

As of late yesterday (January 28), Apple has temporarily disabled all group FaceTime functionality, so, as far as has been reported, there is no immediate threat.

Affected Systems

Apple FaceTime on mobile devices running iOS 12.1 and computers running macOS Mojave.

Action Items

FaceTime users should watch for an update and apply it as soon as it becomes available. Apple expects to release the update later this week. Apple has disabled the group calling feature, so you can use FaceTime only for one-on-one calls. If you feel more comfortable disabling FaceTime completely, you can follow these instructions:

  1. On your iPhone or iPad, open Settings.
  2. Scroll down to the list of apps and select FaceTime.
  3. At the top of the screen, set the on-off switch to off (change it from green to clear). This will prevent FaceTime users from contacting you.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.