Apple Disables Group FaceTime After Security Flaw Let Callers Secretly Eavesdrop The bug, discovered Monday, may have been exploitable for months. Apple promises a fix later this week.
NPR logo Apple Disables Group FaceTime After Security Flaw Let Callers Secretly Eavesdrop

Apple Disables Group FaceTime After Security Flaw Let Callers Secretly Eavesdrop

An Apple executive talks about group FaceTime during an announcement of new products at the Apple Worldwide Developers Conference in June. Apple says it has disabled group FaceTime after a bug was revealed letting callers eavesdrop on recipients before they accepted a call. Marcio Jose Sanchez/AP hide caption

toggle caption
Marcio Jose Sanchez/AP

An Apple executive talks about group FaceTime during an announcement of new products at the Apple Worldwide Developers Conference in June. Apple says it has disabled group FaceTime after a bug was revealed letting callers eavesdrop on recipients before they accepted a call.

Marcio Jose Sanchez/AP

A glitch in Apple's FaceTime app let users hear the other person — and in some cases, see video — even if the recipient never accepted the call. The bug was widely reported late Monday, and confirmed by several technology reporters. Until it can offer a permanent fix, Apple says it has simply disabled group FaceTime calls altogether.

It's an unusual misstep for a company that prides itself on its strong privacy safeguards. And it comes in an environment of heightened scrutiny over privacy protections, as a new Congress considers whether to impose stronger regulations on technology companies like Facebook that are often accused of violating users' privacy.

The FaceTime glitch was first noticed by trade publication 9to5Mac, which wrote that the bug, which was "spreading virally over social media," lets you "immediately hear the audio coming from their phone." The publication listed a detailed succession of steps needed to reproduce the glitch, which involved starting a FaceTime video call with an iPhone contact and then immediately adding your own phone number to the call. This would trick the phone into starting a group FaceTime call and activate the other person's audio. If the recipient hit the power or volume button, the phone would broadcast video as well, the Verge reported.

"The damage potential here is real," 9to5Mac wrote. "You can listen in to soundbites of any iPhone user's ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it's not clear how to defend yourself against this attack either aside from disabling FaceTime altogether."

The bug only worked on devices that had upgraded to iOS 12.1, which introduced group video calling. In a statement provided to USA Today and other media outlets, Apple says that it is "aware of this issue and we have identified a fix that will be released in a software update later this week." Last night, the company said it temporarily disabled all group FaceTime functionality.

New York Governor Andrew Cuomo urged New Yorkers to turn off FaceTime until the problem was fixed. "The FaceTime bug is an egregious breach of privacy," Cuomo said in a statement, the New York Post reported. "I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes."

It's not clear how long the vulnerability was present. Group FaceTime was introduced on Oct. 30, and according to the Verge, the flaw "could have been exploited for as long as three months."

The glitch could panic investors who have already been on alert since Apple said it was lowering revenue expectations this quarter, citing lower demand for iPhones and unexpected difficulties in the Chinese market. Apple's 2018 fourth quarter earnings call is scheduled for later today.