Serious FaceTime Bug Allows Eavesdropping of Microphone on iPhone & Mac, Here’s How to Protect Yourself
A serious privacy bug has been discovered in FaceTime for iOS and MacOS that allows remote eavesdropping on another persons iPhone or Mac, even if they don’t pick up and answer the FaceTime call. Essentially this means that anyone can remotely listen to the microphone of a targeted iPhone or Mac by a remarkably simple process.
Below we’ll show you how you can test and reproduce the FaceTime eavesdropping microphone bug yourself, and we’ll also show you how to protect yourself from the FaceTime remote microphone / video access bug by turning off FaceTime on Mac, iPhone, and iPad.
Note: it appears that only iOS and macOS versions that support Group FaceTime are impacted by this bug, thus anything earlier than iOS 12.1 or macOS 10.14.1 is likely not effected. Apple is apparently aware of the bug and will be releasing security patches later in the week, for the time being they have disabled the Group FaceTime service.
UPDATE 2/7/2019: This bug has been patched by Apple with iOS 12.1.4 and macOS 10.14.3 Supplemental Update and later versions of both operating systems.
How to Reproduce FaceTime Eavesdropping Bug & Remotely Listen to iPhone or Mac
- Start a FaceTime call with someone
- While the FaceTime call is ringing, tap the three dots or swipe up from the bottom of the screen to access the Group FaceTime feature
- Tap on “Add Person” and add your own phone number as the contact person to add to the FaceTime call
- The recipients iPhone or Mac will begin transmitting audio to you, even if they don’t answer the call
Going further, if the target presses the Power button on their iPhone, apparently it will start transmitting video as well.
What a lovely security bug! Not really, this is exceptionally bad. So obviously the question is how to protect yourself, which for now means disabling FaceTime completely.
How to Protect from FaceTime Eavesdropping Bug
Currently you can protect yourself or impacted devices from the remote FaceTime eavesdropping microphone / video camera bug by turning off FaceTime on the impacted devices. Here’s how to do that on iPhone, iPad, and Mac.
How to Disable FaceTime on iPhone and iPad
- Open Settings on iPhone or iPad and go to “FaceTime”
- Toggle the setting for “FaceTime” to OFF
How to Disable FaceTime on Mac
- Open FaceTime, then pull down the ‘FaceTime’ menu and choose “Turn FaceTime Off”
High-security minded Mac users who had previously either installed OverSight to detect camera and microphone activity on their Mac or disabled the Mac FaceTime camera completely should also be immune from the bug, though it’s possible that audio transmission could occur in the latter scenario.
If you have recently received a FaceTime call that you didn’t answer and you are concerned you are being listened to or watched remotely, simple turn off FaceTime or reboot your iPhone, iPad, or Mac, and then turn off FaceTime.
As mentioned before, the remote eavesdropping microphone / video camera FaceTime bug appears to be related to the Group FaceTime feature which was introduced in iOS 12.1 for iPhone and iPad and macOS 10.14.1 for Mac. In testing, we were not able to reproduce the bug when trying to connect to iPhone, Mac, or iPad that were running earlier iOS or MacOS system software versions.
The bug was apparently first knowingly publicized on Snapchat and Twitter by user @bmmanski where a short casual video is demonstrating the remote microphone access, that video was later noticed by 9to5mac and other tech and mainstream press. It’s possible this security flaw was known by others before this, however.
Now you can answer for yourself on FaceTime even if they don’t answer🤒#Apple explain this.. pic.twitter.com/gr8llRKZxJ
— Benji Mobb™ (@BmManski) January 28, 2019
Another video posted to Twitter by @itsnicolenguyen also demonstrates the bug and how easy it is to replicate:
— nic nguyen (@itsnicolenguyen) January 29, 2019
Apparently several different Twitter users were able to find the FaceTime eavesdropping bug even earlier in the month, but reporting the problem was unsuccessful:
VIDEO: Here is a video, recorded & sent to Apple by a 14 yr old & his mom, on JAN 23rd, alerting them to the dangerous #FaceTime bug, that has threatened the privacy of millions. I've removed sensitive / private info on behalf of the mother (an attorney), whom I just spoke to. pic.twitter.com/YIBKXEP3mI
— John H. Meyer (@BEASTMODE) January 29, 2019
According to Axios, Apple will be releasing an update later in the week to resolve the bug. Until then, you might want to consider disabling FaceTime on any impacted iPhone, iPad, Mac, iPod touch.
If you have any experience with this bug, or any additional information, feel free to share in the comments below.
I don’t think Apple’s software is nearly as secure we’d all like to think: https://www.reuters.com/investigates/special-report/usa-spying-karma/?_ga=2.108337858.1594103589.1548819461-348475102.1547932966
Another day, another serious Apple security bug….
I use Apple partially because it is so much more secure than Android, come on!
interesting that your website / URL shows up as not secure… essplain, please…
FaceTime is considered secure, this is simply a bug with how some versions of iOS and MacOS. Once a new version of iOS is released this bug will be fixed, but for now Apple has disabled Group FaceTime on their services to mitigate this issue.
If you’re talking about this website in general, it is HTTP, the standard web protocol for nearly every regular website since the beginning of the web. The purpose here is to read articles, which is not exactly a high security endeavor requiring high encryption. Eventually we’ll likely move to HTTPS but it’s a technical process with little to no benefit for sites like this.
Ellen, the site is http. A publicly available website. If it asks you to log in… don’t. All sites are not supposed to be “secure”. it is intended for public consumption.
Glarn is correct. And to be clear, there are no reader or user logins on this website and there is nothing to login to. Readers/users can submit comments if they want to, or search queries if they want to, and that’s it. The admins (like myself) have an HTTPS login.
Questions I’d like answered about this:
1/ does Facebook have to be turned on to pose a problem?
2/ is iOS 10.3.3 new enough to be adversely affected?
3/ will the Apple fix, coming this week, be sent to older units like my iPhone 5 with iOS 10.3.3?
iOS versions prior to iOS 12.1 should not be impacted, because they do not include the Group FaceTime feature.
Apple has disabled the Group Facetime service.
Has this perhaps already been fixed in 12.2 beta 1?