Serious FaceTime Bug Allows Eavesdropping of Microphone on iPhone & Mac, Here’s How to Protect Yourself

Jan 28, 2019 - 10 Comments

FaceTime security bug allows listening to microphones remotely

A serious privacy bug has been discovered in FaceTime for iOS and MacOS that allows remote eavesdropping on another persons iPhone or Mac, even if they don’t pick up and answer the FaceTime call. Essentially this means that anyone can remotely listen to the microphone of a targeted iPhone or Mac by a remarkably simple process.

Below we’ll show you how you can test and reproduce the FaceTime eavesdropping microphone bug yourself, and we’ll also show you how to protect yourself from the FaceTime remote microphone / video access bug by turning off FaceTime on Mac, iPhone, and iPad.


Note: it appears that only iOS and macOS versions that support Group FaceTime are impacted by this bug, thus anything earlier than iOS 12.1 or macOS 10.14.1 is likely not effected. Apple is apparently aware of the bug and will be releasing security patches later in the week, for the time being they have disabled the Group FaceTime service.

UPDATE 2/7/2019: This bug has been patched by Apple with iOS 12.1.4 and macOS 10.14.3 Supplemental Update and later versions of both operating systems.

How to Reproduce FaceTime Eavesdropping Bug & Remotely Listen to iPhone or Mac

  1. Start a FaceTime call with someone
  2. While the FaceTime call is ringing, tap the three dots or swipe up from the bottom of the screen to access the Group FaceTime feature
  3. Tap on “Add Person” and add your own phone number as the contact person to add to the FaceTime call
  4. The recipients iPhone or Mac will begin transmitting audio to you, even if they don’t answer the call

Going further, if the target presses the Power button on their iPhone, apparently it will start transmitting video as well.

What a lovely security bug! Not really, this is exceptionally bad. So obviously the question is how to protect yourself, which for now means disabling FaceTime completely.

How to Protect from FaceTime Eavesdropping Bug

Currently you can protect yourself or impacted devices from the remote FaceTime eavesdropping microphone / video camera bug by turning off FaceTime on the impacted devices. Here’s how to do that on iPhone, iPad, and Mac.

How to Disable FaceTime on iPhone and iPad

  1. Open Settings on iPhone or iPad and go to “FaceTime”
  2. Toggle the setting for “FaceTime” to OFF

Disable FaceTime in iOS

How to Disable FaceTime on Mac

  1. Open FaceTime, then pull down the ‘FaceTime’ menu and choose “Turn FaceTime Off”

Disable FaceTime on Mac

High-security minded Mac users who had previously either installed OverSight to detect camera and microphone activity on their Mac or disabled the Mac FaceTime camera completely should also be immune from the bug, though it’s possible that audio transmission could occur in the latter scenario.

If you have recently received a FaceTime call that you didn’t answer and you are concerned you are being listened to or watched remotely, simple turn off FaceTime or reboot your iPhone, iPad, or Mac, and then turn off FaceTime.

As mentioned before, the remote eavesdropping microphone / video camera FaceTime bug appears to be related to the Group FaceTime feature which was introduced in iOS 12.1 for iPhone and iPad and macOS 10.14.1 for Mac. In testing, we were not able to reproduce the bug when trying to connect to iPhone, Mac, or iPad that were running earlier iOS or MacOS system software versions.

The bug was apparently first knowingly publicized on Snapchat and Twitter by user @bmmanski where a short casual video is demonstrating the remote microphone access, that video was later noticed by 9to5mac and other tech and mainstream press. It’s possible this security flaw was known by others before this, however.

Another video posted to Twitter by @itsnicolenguyen also demonstrates the bug and how easy it is to replicate:

Apparently several different Twitter users were able to find the FaceTime eavesdropping bug even earlier in the month, but reporting the problem was unsuccessful:

According to Axios, Apple will be releasing an update later in the week to resolve the bug. Until then, you might want to consider disabling FaceTime on any impacted iPhone, iPad, Mac, iPod touch.

If you have any experience with this bug, or any additional information, feel free to share in the comments below.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Paul Horowitz in iPad, iPhone, Mac OS X, News, Security

10 Comments

» Comments RSS Feed

  1. Floris says:

    Has this perhaps already been fixed in 12.2 beta 1?

  2. Alex says:

    Don’t care.

    Apple has disabled the Group Facetime service.

    https://www.apple.com/support/systemstatus/

  3. david watts says:

    Questions I’d like answered about this:

    1/ does Facebook have to be turned on to pose a problem?

    2/ is iOS 10.3.3 new enough to be adversely affected?

    3/ will the Apple fix, coming this week, be sent to older units like my iPhone 5 with iOS 10.3.3?

  4. ellen blackstone says:

    interesting that your website / URL shows up as not secure… essplain, please…

    • Paul says:

      FaceTime is considered secure, this is simply a bug with how some versions of iOS and MacOS. Once a new version of iOS is released this bug will be fixed, but for now Apple has disabled Group FaceTime on their services to mitigate this issue.

      If you’re talking about this website in general, it is HTTP, the standard web protocol for nearly every regular website since the beginning of the web. The purpose here is to read articles, which is not exactly a high security endeavor requiring high encryption. Eventually we’ll likely move to HTTPS but it’s a technical process with little to no benefit for sites like this.

    • Glarn Snargson says:

      Ellen, the site is http. A publicly available website. If it asks you to log in… don’t. All sites are not supposed to be “secure”. it is intended for public consumption.

      • Paul says:

        Glarn is correct. And to be clear, there are no reader or user logins on this website and there is nothing to login to. Readers/users can submit comments if they want to, or search queries if they want to, and that’s it. The admins (like myself) have an HTTPS login.

  5. Gnam Nom says:

    Another day, another serious Apple security bug….

    https://www.thesun.co.uk/tech/8313049/iphone-icloud-breach-bug/

    I use Apple partially because it is so much more secure than Android, come on!

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac