https://www.bankinfosecurity.

com/

Enterprise Mobility Management / BYOD , Governance & Risk Management , Privacy

Apple Rushes to Fix Serious FaceTime

Eavesdropping Flaw
Callers Can Hear and See Recipients Before They Pick Up
Mathew J. Schwartz (euroinfosec) • January 29, 2019    

Apple has disabled Group FaceTime pending a x for the eavesdropping aw.

Apple has disabled Group FaceTime after reports emerged on Monday that the feature
could be abused to eavesdrop on iPhone users.

See Also: Live Webinar | Empowering Financial Services with a Secure Data Path From
Endpoint to Cloud

"We're aware of this issue and we have identi ed a x that will be released in a software
update later this week," an Apple spokesman tells Information Security Media Group.

Apple's system status page says that Group FaceTime, as of 3:16 a.m. British Time, remains
"temporarily unavailable" due to an "issue."

The technology giant's move follows an exploit for the aw going viral via social media and
Reddit on Monday after a proof-of-concept demonstration video was posted.

Benji Mobb™
@BmManski

Now you can answer for yourself on FaceTime even if they

don’t answer
#Apple explain this..
 1:24 AM · Jan 29, 2019

82.1K 1.7K Share this Tweet

As 9to5mac has reported, exploiting the aw involves a caller contacting someone via
FaceTime, and while the call is dialing, swiping up to "Add Person" to the call, and then
entering the caller's phone number.

"You will then start a Group FaceTime call including yourself and the audio of the person
you originally called, even if they haven't accepted the call yet," 9to5mac reports. Exploit
variations have also been found. For example, press the power button on the lock screen,
and that allows a caller to see a recipient's video feed as well as hear audio, it says. A
recipient, however, will be unaware, only seeing on their screen the ability to either accept
or decline the incoming voice or video call.

Chris Pierson, CEO of concierge cybersecurity rm BlackCloak, tells ISMG that his company's
cybersecurity team has also con rmed that the aw provides third-party access to a
targeted iPhone or iPad microphone and video camera feed.
"This means unfettered access to whoever is in listening or visual range of the device - from
boardrooms, private o ces, nancial institutions and our bedrooms it is possible to gain
access to this private information," Pierson says.

NSA Warning: 'Turn O FaceTime'

News of the aw led social media moguls and o ensive hacking experts alike to urge iPhone
users to take action.

"Disable FaceTime for now until Apple xes," Twitter CEO Making a FaceTime call
Jack Dorsey tweeted.

"iPhone users. Turn o FaceTime until Apple issues a patch for iOS and you install it. Claims
of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with
camera) and switch o ," tweets Rob Joyce, the National Security Agency's senior adviser for
cybersecurity strategy to the director

Pierson says that anyone who deals with sensitive information should heed these warnings
posthaste.

"Individuals who deal with sensitive nancial data, government secrets, healthcare data or
intellectual property, as well as top corporate executives and board members, should take
head and immediately disable FaceTime on all of their devices until a patch has been
implemented," Pierson says. "This is a critical watershed event in potentially allowing the
unfettered access to all Apple products' cameras and microphones and a huge miss by the
company."

Rob Joyce
@RGB_Lights

iPhone users. Turn off FaceTime until Apple issues a

patch for iOS and you install it. Claims of major
privacy issue discovered. Go to settings. Scroll down
to FaceTime (green icon with camera) and switch off.

9to5Mac.com @9to5mac
Replying to @9to5mac
In a statement, Apple says the FaceTime bug will be fixed in a
software update “later this week”. 9to5mac.com/2019/01/28/fac
…
 10:00 AM · Jan 29, 2019

418 13 Share this Tweet

But Apple has earned plaudits for responding quickly - and by disabling Group FaceTime
altogether pending a x, apparently forcefully reacting to the privacy problem.

"Good response by Apple for quite possibly one of the most signi cant privacy/security
bugs the company has had to deal with in recent years (if not ever?): remote hotmic,"
tweeted privacy expert Ashkan Soltani, who previously served as the CTO for the Federal
Trade Commission.

About the Author

Mathew J. Schwartz
Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic
media. He has covered the information security and privacy sector throughout his career. Before joining
Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and
for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a
frequent contributor to DarkReading, among other publications. He lives in Scotland.

© 2021 Information Security Media Group, Corp. https://www.bankinfosecurity.com/ Toll Free: (800) 944-0401