back to article PSA: Disable FaceTime. Miscreants can snoop on your iPhone, Mac mic before you pick up call

You might want to disable FaceTime on your iPhone, iPad, or Mac until Apple patches this bonkers bug. Folks have confirmed it is possible to call someone via FaceTime, and secretly listen in on their iThing or Mac's microphone before they accept or reject a call. It's a handy, creepy way to find out what someone's up to before …

  1. Anonymous Coward
    Anonymous Coward

    Bug?

    Undocumented (previously hidden) spy agency function?

    1. Captain Scarlet Silver badge
      Coat

      Re: Bug?

      Nah just the software isnt being used in the way their software team expected.

      Wait did I just stick up for Apple, I must be coming down with something!

      1. VikiAi Silver badge
        Linux

        Re: Bug?

        You need a Penguin a day to keep the Apple away! :-P

        1. Anonymous Coward
          Anonymous Coward

          Re: Bug?

          I found the mix of Linux and Apple to be the best combination for what we do.

          One offers me decent backbone stability and the option to tweak what I want (with the caveat that local tweaks may hurt that stability :), the other gives me a good graphics oriented desktop that speaks Open Standards by default (although you have to use the resvport option to get an NFS mount going) and that I can let loose on end users without immediately drowning in support calls.

          That said, this is a VERY bad bug. Thanks to continuous assault on our rights I am very wary of these things, and this one is so bad it almost looks deliberate as it's trivial to activate. Heck, this is intercept capabilities for beginners - *seriously* bad.

        2. Anonymous Coward
          Anonymous Coward

          Re: Bug?

          I'd love to use a Penguin phone! What can the Penguin offer in the way of a phone? *sets the trap, waiting with CVE avalanche for claims equating Linux and Android*

          1. doublelayer Silver badge

            Re: Bug?

            Your choices:

            1. Lineage OS, uses the android stack but removes the google blobs unless you reinstall them. This generally works, but offers little Linux functionality. You must have a phone in a specific list, with only flagships from each generation and popular devices included.

            2. Sailfish, which has more Linux and no android, and offers some Linux functionality but is mostly incompatible with the Linux functionality of a Linux desktop. You must have a phone in a specific list, with only flagships from old generations included.

            3. Ubuntu touch, which was promising until it was dropped, and is now maintained by a random group of people, meaning who knows what it will be like tomorrow. But it does do Linux, and well. For now. You must have a phone in a specific list. The list is very short. Expect installation to take forever, plus a lot of typing. Good luck.

            I really wish there were better options.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Bug?

        Nah just the software isn't being used in the way their software team expected

        I don't think so. I had a ping that this "feature" has been known for at least 3 months by some parties who are not quite as diligent to pass on bugs to the manufacturer, they use them instead for fun and profit.

        The best way to have a confidential meeting is still without any electronics, but given that we are living in a world where people find it normal to have Google Home and Amazon Alexa listening to their every word I have the impression that people have gone numb to the risks.

        1. Waseem Alkurdi Silver badge

          Re: Bug?

          The best way to have a confidential meeting is still without any electronics

          Bugs. Lots of them.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bug?

            Yes, but it depends on your level of paranoia.

            The people we use for client office bug sweeping are at the top of their game, ex intelligence and they cost serious money and they literally take everything apart (assuming they don't fail the room for being impossible to secure - that has happened). If you're willing to pay for that, fine - security is always a battle between budget and level of risk you're willing to accept..

      4. JimboSmith Silver badge

        Re: Bug?

        First thing I did when given my work iPhone was disable Facetime and cover the cameras in electrical tape. Nothing personal against Apple but I don't trust them or Facebook etc. We don't use Facetime anyway at work.

    2. Sorry that handle is already taken. Silver badge

      Re: Bug?

      Nah, it's just being used wrong.

    3. Dan 55 Silver badge
      Black Helicopters

      Re: Bug?

      Don't know what to think, but the fact that the callee's phone can connect the microphone and camera yet the UI doesn't react is pretty sketchy.

      Bonus raspberry for Apple QA who can't even UI mash like this dude did, let alone code review.

      1. doublelayer Silver badge

        Re: Bug?

        Given that the phone is ringing, it's not that useful to a spy system, as you would only get thirty seconds of data before they answer or hang up on you. It is still a major problem, but it is a very small and mostly useless backdoor if you were in an actively malicious mood.

  2. Ian Michael Gumby Silver badge
    Black Helicopters

    Patch is already out...

    The Patch is already out, just need to manually check for updates.

    1. Anonymous Coward
      Anonymous Coward

      Re: Patch is already out...

      I haven't seen it yet for either MacOS and iOS.

      I looked at the security reference for iOS 12.1.3 and MacOS 10.14.3 a few days ago, and that only fixed a possible remote execution risk for FaceTime, not a your-neighbour-can-do-this intercept problem.

      That said, I do think that a lot of staff will be busy fixing this one so I expect a beta soon - I can see my iPad already pulling in a beta update (I have one non-essential iOS device on betas so I can see the updates coming before they go public).

      1. Anonymous Coward
        Anonymous Coward

        Re: Patch is already out...

        (small update, an iOS 12.2 is out on beta - no time to check if that addressed the issue)

      2. Anonymous Coward
        Anonymous Coward

        Re: Patch is already out...

        "...that only fixed a possible remote execution risk for FaceTime, not a your-neighbour-can-do-this intercept problem"

        is not turning on your audio/video without your knowledge 'remote execution'?

    2. Sorry that handle is already taken. Silver badge

      Re: Patch is already out...

      Was it a fix, or just an emergency kill switch while the fix is being developed?

    3. DougS Silver badge

      Re: Patch is already out...

      iOS 12.1.3 came out recently, but it does NOT contain the fix for this. The short term fix is Apple disabling the new group Facetime calling option that made this bug possible, in a few days we'll get 12.1.4 to address it (and a rev of the 12.2 beta for developers) and then they'll be able to re-enable group Facetime.

  3. Nolveys Silver badge
    Meh

    Hopefully this will save someone a few seconds:

    Iphone 4ish: settings -> general -> restrictions -> FaceTime

    ...and maybe it even works.

    1. DougS Silver badge

      Re: Hopefully this will save someone a few seconds:

      Not necessary, the trigger for the bug were the recent changes Apple made to allow group Facetime calls. They've already disabled those, so exploits are no longer possible. Once the update has been out a few days and people have had time to install it, they'll re-enable group Facetime.

  4. chivo243 Silver badge

    Facetime?

    Really, I've only gotten 3 facetime calls in all the years I've been using macOS. If someone wants to hear me say "Whodat" give me a facetime call!

    1. Anonymous Coward
      Anonymous Coward

      Re: Facetime?

      Well you 'think' you only gotten 3 facetime calls... but we have the video from last Friday night, and unless you deposit a bazillion bitcoins in the Vulture's account.....

  5. The Alphabet
    Trollface

    Disable facetime, wifi, bluetooth and mobile data.

    Be extra safe and leave your phone at home, face down, too. Take no chances.

    1. DougS Silver badge

      Surely it should be powered off and wrapped in tinfoil for 100% security!

      1. Winkypop Silver badge

        Two rolls or will one do it?

  6. 2+2=5 Silver badge
    Joke

    PrefaceTime

    It's just a branding opportunity - call it 'PrefaceTime'

  7. Anonymous Coward
    Anonymous Coward

    Apple has disabled Group Facetime

    To prevent this bug from being exploited. Nice move, actually, until a patch is released.

  8. Anonymous Coward
    Anonymous Coward

    Five bucks

    Five bucks says this feature works with the app disabled.

  9. Fred Flintstone Gold badge

    I wonder if you can track the incoming calls, though

    As far as I know, an iPhone tracks every incoming call. The Imazing iOS management application for MacOS does more than just versioned, automated backups (although that's what I mostly use it for), it also backs up your call records and makes them accessible.

    Call records include everything including FaceTime, so if you look at calls which aborted quickly you'll probably get an idea if you've been hit by this.

    Worth a peek IMHO.

  10. HamsterNet

    At least they patch

    At least there will be a fix and rolled out to all.

    The various android devices I have are all on different, old and with known vulnerablities versions without any way of updating beyond hope.

    My i thinks are all up today and some of them are quite old for a consumer product.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019