Apple has disabled a group-chat function in FaceTime after users said a software bug could let callers activate another person’s microphone remotely.
With the bug, a FaceTime user calling another iPhone, iPad or Mac computer could hear audio — even if the receiver did not accept the call. The bug is triggered when callers add themselves to the same call to launch a group chat.
That makes FaceTime think the receiver had accepted the chat.
The bug, demonstrated through videos online , comes as an embarrassment for a company that is trying to distinguish itself by stressing its commitment to users’ privacy.
“This is a big hit to their brand,” said Dave Kennedy, CEO of Ohio-based security firm TrustedSec.
“There’s been a long period of time people could have used that to eavesdrop. These things definitely should be caught prior to ever being released.”
There is no longer a danger from this particular bug as Apple disabled group chats, while regular, one-on-one FaceTime remains available.
NBC News and The Wall Street Journal reported Tuesday that the family of a 14-year-old high school student in Tucson, Arizona, tried to inform Apple about the bug more than a week before it became widely known to the public.
The boy, Grant Thompson, said he discovered it by accident while calling friends to play the game “Fortnite.”
It’s hard to know if anyone exploited the bug maliciously, said Erka Koivunen, chief information security officer for Finnish company F-Secure.
He said it would have been hard to use the bug to spy on someone, as the phone would ring first — and it’s easy to identify who called.
Apple said Tuesday that a fix will come in a software update later this week.
Apple declined to say when it learned about the problem.
The company also wouldn’t say if it has logs that could show if anyone took advantage of the bug before it became publicly known this week.
Kennedy commended Apple’s quick response this week following reports of the bug by tech blogs. He predicted the reputational dent could soon be forgotten if it doesn’t become part of a pattern.
“All bugs are obvious in retrospect,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.
“The truth is bugs are subtle, code is complicated and sometimes things get through.”
Galperin said Apple should develop a better process for fielding reports about potential security flaws.
She said the 14-year-old’s discovery of the problem “just tells us a lot about reporting security bugs depends on knowing the right person.”
Apple had introduced the 32-person video conferencing feature in October for iPhones, iPads and Macs. Regular FaceTime calls aren’t affected unless the caller turns it into a group chat.
Word of the bug came as Apple reported that profit for the last three months of 2018 dipped slightly to $20 billion while revenue fell 5 percent from the prior year to $84 billion.
Earlier this month, Apple said that demand for iPhones was waning and that its earnings for the final quarter of 2018 would be below its own forecasts — a rare downgrade from the company.
iPhone FaceTime bug lets callers eavesdrop
A newly discovered FaceTime bug lets people hear and even see those they are reaching out to on iPhones even if the other person hasn't answered their phone.
When a phone number is dialed on FaceTime - the iPhone's internet-based voice and video calling feature - the caller can swipe up from the bottom of the screen and tap an option to add a person, according to video demonstrations.
If the caller then enters their own number as that of the added caller, a group call begins even though the person being called hasn't even answered.
The caller can then eavesdrop on the person being called, and in some demonstrations even watch them through the camera app. Declining a call breaks the connection.
The bug, initially outlined by Apple product and review website 9to5Mac.com, was reported by several media outlets.
A video posted at Twitter account @BmManski showing how simple it is to take advantage of the flaw and listen in on an iPhone being called using FaceTime, logged nearly two million views and was shared 14,000 times by late evening in California.
Some Twitter users offered advice to disable the FaceTime application until a fix was in place.
An Apple support page listed Group FaceTime calling as "temporarily unavailable" as of 7:16 PM here (03:16 GMT) due to an ongoing "issue" that was not specified.
An Apple statement quoted in US media said the iPhone maker was aware of this issue and has "identified a fix that will be released in a software update later this week."
"Disable FaceTime for now until Apple fixes," Twitter co-founder and chief executive Jack Dorsey advised in a tweet.
Dorsey's message included a forwarded post by technologist Andy Baio.
"Want to see a really bad bug?" Baio asked in his post.
"You can FaceTime any iOS device running 12.1 and listen in remotely-WITHOUT THE OTHER PERSON ANSWERING THE CALL."
Apple did not immediately respond to requests for comment.
FaceTime software enables voice or video calls using iPhones, iPads, iPod Touch, and Macintosh computers.