A significant privacy bug was discovered yesterday in Apple’s FaceTime communications app and all users should disable the app on their iOS devices immediately.
I will share some details about the bug itself in just a bit, but first head into Settings on your iOS device, scroll down to FaceTime in the left hand sidebar and then tap the toggle button on the top right hand side of the settings screen to disable FaceTime.
You can see the screenshots below for what that process looks like.
Note: As of last night, Apple has also disabled the FaceTime service on the server side to prevent the exploitation of this bug but I highly recommend you still disable FaceTime on your device until a fix is pushed out from Apple.
According to reports over the last 12 hours or so, there are two aspects of this bug that can be used to listen in on your local environment and see your video even if you do not accept a FaceTime call.
According to 9 to 5 Mac, this is how the bug can be exploited:
- Start a FaceTime Video call with an iPhone contact.
- Whilst the call is dialing, swipe up from the bottom of the screen and tap Add Person.
- Add your own phone number in the Add Person screen.
- You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
9 to 5 Mac also noted that if the person you are calling dismissed the call using their power button from their lock screen, video will also be sent back to the caller and the person who dismissed the call would not be aware of it.
So while a fix is being worked on by Apple, your best protection against this privacy bug is to simply disable FaceTime on your iOS device as noted above.
You can keep an eye on the Apple System Status page to know when they turn the FaceTime service back on from the server side. Since FaceTime is part of iOS, that means an iOS patch will have to be shipped to remediate the bug. Make sure you have that patch installed before turning FaceTime back on for your device. This applies even if Apple has already turned the service back on from the server side. You still need to be patched in order to be protected from the bug.
Apple FaceTime Settings Screenshots