Apple FaceTime Spying Bug: What You Need to Know
A flaw in FaceTime lets you hear the audio, and sometimes see the video, of Mac and iPhone users even if they don't answer the call.
UPDATED 9:30 a.m. EST Feb. 1 with purported statement from Apple. This story was originally published Jan. 28.
Apple moved quickly last night to disable an embarrassing privacy flaw that let iPhone users spy on other iPhone and Mac users via Group FaceTime. The company promised a permanent fix later this week.
Until then, you may want to disable FaceTime just as a precaution. In iOS, the off switch is in Settings > FaceTime. In macOS, you have to open FaceTime, then select "Turn FaceTime Off" from the menu bar.
Somebody -- a teenager, according to one report -- discovered that if you made a FaceTime call from an iPhone running iOS 12.1 or later, then swiped up on the screen to add your own number (or anyone's number, in fact) to the call before the other party picked up, you could hear all the audio from the other phone's microphone even if the other person never answered.
MORE: How to Turn Off FaceTime on Your iPhone and Mac
The trick spread across social media Monday (Jan. 28), according to 9to5Mac, which first reported on the bug. The Verge was able to replicate the bug, and discovered that it transmitted video too if the recipient of the call pressed the power or the volume-down button -- as one might do to dismiss the call or, um, turn on the camera.
"We have identified a fix that will be released in a software update later this week," Apple told the Verge and Buzzfeed News in virtually identical statements.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
We were able to confirm that the trick worked Monday evening by placing a FaceTime call from an iPhone SE to an iPhone 7. The audio came through from the 7 without it answering the call. When the power button was pressed, the video came through as well.
But about an hour later, Apple switched off the servers that make Group FaceTime possible. Apple's System Status page noted that as of 10:16 p.m. EST Monday, Group FaceTime was "temporarily unavailable."
We confirmed Tuesday morning that the trick no longer worked. Attempting to add yourself to a FaceTime call while the other party's phone rang resulted in an error message stating that the call had "failed."
On Monday, Twitter user Benji Mobb posted video of the trick in action. Both iPhones needed to be running iOS 12.1 or later, or macOS 10.14 Mojave. (Group FaceTime was added in iOS 12.1 and apparently is where the problem lies.)
Twitter user @tythegoddess tweeted about the bug at around noon Monday Eastern time.
"There's apparently a bug that allows people to still be able to talk to you even if you don't answer the call," she wrote. "Don't believe me? FaceTime someone and then add yourself to the call."
The kid who found the flaw
That may have been what got the ball rolling on social media, but a little-noticed tweet from more than a week earlier indicated that someone had already tried to notify Apple.
"My teen found a major security flaw in Apple's new iOS," wrote user @MGT7500 on Jan. 20. "He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport ... waiting to hear back to provide details. Scary stuff!"
NBC News on Tuesday afternoon (Jan. 29) published an interview with the teenager, a 14-year-old named Grant Thompson from Tucson, Arizona, and his mother, Michele Thompson, an attorney specializing in medical-malpractice law.
Grant told NBC News that he'd found the flaw Jan. 19 when trying to FaceTime a friend, who didn't pick up before Grant added another friend to the call. He and the second friend discovered that they could hear what was happening on the first friend's end before the first friend answered.
"We tested it for about half an hour to see if it worked every time," Grant Thompson told NBC.
Michele Thompson told the network that she tried to contact Apple several different ways, and showed NBC reporters emails in which she was told by an Apple representative to sign Grant up to the company's bug-bounty program. She did that, hoping her son might get some money for his discovery, but seems to have not received a response.
Then Michele Thompson sent a letter to Apple's general counsel on her own law firm's company letterhead. Again, there was no response. She planned to wait a week before going to the press, but then someone else found the flaw and the secret was out.
"It was very frustrating getting them to respond," she told NBC News. "I'm sure they get all sorts of kooks that try to report things to them."
UPDATE Feb. 1: Apple said it had fixed the FaceTime flaw, according to a tweet from a Buzzfeed News reporter, but users may not be able to use Group FaceTime for a few more days.
"We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," the statement read. "We thank the Thompson family for reporting the bug."
"We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix," it added. "We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible."
Special thanks to Brandon Arvanaghi for permission to use his video demonstration of the FaceTime flaw.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.