You might want turn off FaceTime right this second. There’s a nasty new bug in iOS 12 that lets FaceTime callers hear sound from the recipient’s microphone even if they haven’t picked up. It works by exploiting a bug with Apple’s newish Group FaceTime feature introduced in iOS 12.1, but fortunately Apple says a fix is already in the works.
Update 2/1: Apple has issued a statement apologizing for the bug and promising a fix next week.
In a media statement quickly after the story began spreading, Apple acknowledged the existence of the bug: “We’re aware of this issue and we have identified a fix that will be released in a software update later this week.” About an hour later, Apple disabled Group FaceTime altogether.
Word of the bug started spreading on social media Monday afternoon via posts like this one from Twitter user @BrnManski, but there’s evidence that users may have already informed Apple about it as far back as a week ago. As Bloomberg’s Mark Gurman pointed out on Twitter this evening, the son of a Twitter user with the handle of @MGT7500 reported a bug that sounds a lot like the current one on January 20.
I’m actually a little reluctant to show how to do it myself, but at this point it’s all over the Internet anyway, so here we go.
A bad call
At its simplest, you can listen to the audio of the person you’re calling if you call them with a FaceTime video chat and then add yourself as a party in Group FaceTime while the call is going out. Even if the person on the other end doesn’t pick up, you’ll still be able to hear their audio until you hang up. This apparently only works if both phones can handle Group FaceTime—so, an iPhone 6s or newer running iOS 12.1 or later.
We at Macworld were easily able to replicate it using an iPhone XS Max and an iPhone XR, and we found it was particularly scary in cases where the person being called wasn’t aware their phone was ringing.
It gets worse. As 9to5Mac reports, if someone takes these steps when calling you, but you hit the power button to dismiss the call, you’ll start sending a video feed even though you’re not aware of it. You’ll be able to hear their audio at this point, but you likely won’t be aware that you’re sending audio and video to them, as you haven’t accepted the call.
I discovered what I believe is a different variation on this bug when I used the first method to call a friend who was running an iPhone 6s. Even though she didn’t intend to pick up, adding myself as a person on the call essentially forced her phone to connect to the call. She could hear me and I could hear her, but through no action on her part.
What can I do?
Be aware that this means that anyone who calls you on FaceTime could be listening in, so at this point it’s a good idea to disable FaceTime altogether if you’re worried. Even though Apple has disabled Group FaceTime on its end, a proper fix isn’t due until next week. As Apple writes in a statement:
We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process. We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
It’s simple enough to deactivate FaceTime: Go to your iPhone’s Settings app, scroll down to FaceTime, tap it, and deactivate it through the toggle that appears the top. Alternatively, putting your phone in Do Not Disturb mode will also keep FaceTime calls from coming in.
This is a massively disturbing bug, especially from a company that takes its stance on privacy and security so seriously. It’s also one of those bugs that make you wonder how people even discover these things. This isn’t as far-fetched as some, though—when I was trying to replicate it, I realized someone may have accidentally clicked their own name while trying to bring someone else into the call.