Apple patches FaceTime eavesdropping bug, credits 14-year old who found it

Apple has released a iOS 12.1.4 with a fix for the bug that allowed FaceTime callers to listen in on a recipient’s iPhone even if the call was never answered. 

The iOS 12.1.4 patch caps off a busy week for Apple on security and privacy issues, with the company responding not just a gaping FaceTime hole in iOS security but Facebook and Google being caught misusing its enterprise program for distributing data-collecting apps to the public that should have been restricted to employees of each company.

Apple last week apologized over the FaceTime bug, which affected iOS 12.1 and later, if both caller and recipient were on those versions of Apple's mobile OS. Group FaceTime arrived in iOS 12.1.

The bug was discovered by 14 year-old Grant Thompson of Arizona and reported by his mother in late January. Last week she publicly criticized Apple for the difficulties she faced reporting the bug.

Apple disabled the Group FaceTime feature about 10 days after her first attempts to contact it, but only after media outlets drew attention to the easily exploitable eavesdropping bug on January 28.

Apple’s handling of her report has attracted questions from US lawmakers about how it responds to bug reports, whether anyone besides Thompson had reported the bug, and when it first was aware of the issue. 

According to Apple’s advisory, a Daven Morris of Arlington, Texas also reported the same bug, though it’s not known when Morris reported the bug. 

Apple describes the impact as: “The initiator of a Group FaceTime call may be able to cause the recipient to answer.” 

“A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management,” said Apple. 

Despite the fix, it’s not clear yet when or whether Apple will re-enable the Group FaceTime feature it disabled on the server side. 

iOS 12.1.4 also brings fixes for two memory corruption issues discovered by Google Project Zero. 

Apple says it found a Live Photos flaw that was uncovered after a “thorough security audit” of the FaceTime service, which quite possibly happened in the days after the FaceTime bug was exposed. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags iPadAppleiosiPhonefacetime

More about AppleApple.FacebookFaceTimeGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts