News

A serious new FaceTime bug lets you listen to people before they pick up

It's a massive privacy risk, but fortunately Apple says a fix is in the works.

Leif Johnson Jan 29th 2019 A-A+
FaceTime-bug.jpg

You might want turn off FaceTime right this second. There’s a nasty new bug in iOS 12 that lets FaceTime callers hear sound from the recipient’s microphone even if they haven’t picked up. It works by exploiting a bug with Apple’s newish Group FaceTime feature introduced in iOS 12.1, but fortunately Apple says a fix is already in the works.

We’ve contacted Apple for a statement, but a number of other sites have already passed along this statement from Apple: “We’re aware of this issue and we have identified a fix that will be released in a software update later this week.”

Word of the bug started spreading on social media this afternoon via posts like this one from Twitter user @BrnManski, and it’s not clear if the person who first discovered the bug took the time to inform Apple before showing the world how to pull off this potentially massive invasion of privacy. I’m actually a little reluctant to show how to do it myself, but at this point it’s all over the internet anyway, so here we go.

A bad call

At its simplest, you can listen to the audio of the person you’re calling if you call them with a FaceTime video chat and then add yourself as a party in Group FaceTime while the call is going out. Even if the person on the other end doesn’t pick up, you’ll still be able to hear their audio until you hang up. This apparently only works if both phones can handle Group FaceTime—so, an iPhone 6s or newer running iOS 12.1 or later.

We at Macworld were easily able to replicate it using an iPhone XS Max and an iPhone XR, and we found it was particularly scary in cases where the person being called wasn’t aware their phone was ringing.

calling mike simonLeif Johnson/IDG

Good thing I had good intentions.

It gets worse. As 9to5Mac reports, if someone takes these steps when calling you, but you hit the power button to dismiss the call, you’ll start sending a video feed even though you’re not aware of it. You’ll be able to hear their audio at this point, but you likely won’t be aware that you’re sending audio and video to them, as you haven't accepted the call.

I discovered what I believe is a different variation on this bug when I used the first method to call a friend who was running an iPhone 6s. Even though she didn’t intend to pick up, adding myself as a person on the call essentially forced her phone to connect to the call. She could hear me and I could hear her, but through no action on her part.

What can I do?

Be aware that this means that anyone who calls you on FaceTime could be listening in, so at this point it’s a good idea to disable FaceTime altogether if you’re worried.

It’s simple enough: Go to your iPhone’s Settings app, scroll down to FaceTime, tap it, and deactivate it through the toggle that appears the top. Alternatively, putting your phone in Do Not Disturb mode will also keep FaceTime calls from coming in.

disable facetimeIDG

Until this bug is fixed, we recommend you disable FaceTime.

This is a massively disturbing bug, especially from a company that takes its stance on privacy and security so seriously. It’s also one of those bugs that make you wonder how people even discover these things. This isn’t as far-fetched as some, though—when I was trying to replicate it, I realized someone may have accidentally clicked their own name while trying to bring someone else into the call.

We’ll keep you updated as we learn more information. Let’s hope Apple releases a patch sooner this week than later, especially now that word of the bug is spreading like wildfire.