Apple disables Group FaceTime after eavesdropping bug discovered

A bug in Apple's Group FaceTime made eavesdropping easy. A patch is expected this week.

mojave group facetime
Apple
Current Job Listings

Apple disabled Group FaceTime after a major security bug was discovered yesterday — Data Privacy Day. The bug allowed for major spying; users making a FaceTime call could eavesdrop on the iPhone of the user called. All the FaceTime video caller needed to do was add his or her phone number to the call before the called person picked up. The caller could then listen in via the microphone.

The Verge warned, “If the recipient hits the power or volume button to ignore the call, it not only broadcasts audio to your phone but video as well.”

The bug affects iPhones that support Group FaceTime (iOS 12.1 or later).

disable facetime IDG

Until this bug is fixed, we recommend you disable FaceTime.

As word about the bug traveled on the ether, and people were disabling FaceTime, Apple disabled the Group FaceTime feature on the server side. Apple will reportedly release a fix later this week.

Ironically, Apple CEO Tim Cook had tweeted yesterday:

Below are words of wisdom from Amit Sethi, senior principle consultant at Synopsys:

This bug illustrates the privacy issues caused by surrounding ourselves with devices containing cameras and microphones. Phones, tablets, laptops, smart TVs, smart speakers, etc. contain microphones that can be listening to you at any point. If the software on the devices is not malicious and doesn’t contain bugs like this, the microphones should only be on at times you expect. While security controls like permissions and app store reviews are in place, these are not perfect.

The problem is that users don’t know when these devices are listening as most modern devices don’t have an indicator like an LED that turns on whenever the camera and/or microphone is on. Even if such an indicator were present, you wouldn’t know who the video/audio was being transmitted to. This is simply the price we pay for the convenience and features that these internet-connected devices provide. If you need to be 100% certain that you aren’t being recorded, don’t have any internet-connected devices with microphones or cameras around.

Other cybersecurity news

Microsoft Exchange 2013 and newer are vulnerable to PrivExchange zero-day

A zero-day vulnerability disclosed by security researcher Dirk-jan Mollema combines three components to allow a remote attacker to gain Domain Controller admin privileges. 

US-CERT posted an alert about the zero-day, dubbed PrivExchange, and Carnegie Mellon University CERT Coordination Center listed possible impacts, as well as mitigations, since “CERT/CC is currently unaware of a practical solution to this problem.” As for the impact, the vulnerability note read:

An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.

International law enforcement targets DDoS-for-hire users

Users of DDos-for-hire webstresser.org … U.K. cops and Europol are coming for you. According to Europol, U.K. police are “conducting a number of live operations against other DDoS criminals; over 250 users of webstresser.org and other DDoS services will soon face action for the damage they have caused.”

That announcement followed the National Crime Agency’s (NCA) alert, which informed the public that law enforcement from 14 countries are on the hunt for former Webstresser users. In addition to the users, which cops already targeted with either search and seizure warrants or “cease and desist” notices, the NCA said, “A further 400 users of the service are now being targeted by the NCA and partners.”

The notice came with the following warning:

The action taken shows that although users think that they can hide behind usernames and cryptocurrency, these do not provide anonymity. We have already identified further suspects linked to the site, and we will continue to take action. Our message is clear. This activity should serve as a warning to those considering launching DDoS attacks. The NCA and our law enforcement partners will identify you, find you and hold you liable for the damage you cause.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.