A glitch in Apple’s FaceTime app allows callers to hear and see you even if you haven’t answered the phone.
9to5Mac confirmed the reports, which had been circulating on social media. This is how it is exploited:
- Start a FaceTime video call with an iPhone contact.
- While the call is dialling, swipe up from the bottom of the screen and tap Add Person.
- Add your own phone number in the Add Person screen.
- You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
- If the person you are calling presses the down or power button to silence or dismiss the call, their iPhone’s camera will turn on.
Apple said yesterday that it had disabled the feature and had “identified a fix that will be released in a software update later this week”.
Should you be worried?
Those who have used the Group FaceTime feature have every right to feel unnerved by this privacy breach, but it’s unlikely that the flaw will have been used for criminal purposes.
Potential perpetrators will need to have already had access to the target’s telephone number, and would have to stay on the line until the victim said or did anything that would be useful for cyber crime.
That’s certainly possible, particularly if you have an unscrupulous opportunist in your contact list, but Apple identified a solution to the bug after only a few days, meaning a crook would have very little time to work with.
The bug could also have been exploited via an auto-dialler, which would allow crooks to target random people, but even then, attacks could only be committed on a one-on-one basis (one telephone to listen in to one victim), making it much less efficient than other methods of cyber crime.
How you should respond
We suggest that you avoid using FaceTime until Apple releases a permanent fix. You can do that on your iPhone by going to your settings, selecting FaceTime and switching the toggle to grey.
On MacOS, you should open the FaceTime app, click ‘FaceTime’ in the menu and select ‘Turn off FaceTime’.
For organisations that use FaceTime, IT Governance’s founder and executive chairman, Alan Calder, advises managers “to make sure that software updates are installed – but this is no different than any other vulnerability discovered in any other software. Modern software is very complex; there are bugs, they do get found, they do get dealt with.”
“From a GDPR (General Data Protection Regulation) point of view, organisational risk assessments should clearly be extended to mobile devices and selection of controls should take account of these risks.
“The discovery of the vulnerability says to me that the relationship between a data manager and a cyber security manager needs to be a close one.”
Make sure your processes are GDPR-compliant
Are you unsure whether your processes meet the GDPR’s requirements? You can find out with our GDPR Audit Service.
Our privacy specialists will audit the adequacy and effectiveness of your privacy management and information security practices, identify areas of non-compliance and provide recommendations for improvement with a detailed report and executive summary.
Where possible, information and guidance will be provided where supporting documentation is not in place..