The flaw was exploited by adding yourself to a FaceTime call before the person on the other end picks up, by swiping up from the bottom of the screen before the call is answered and adding yourself to the call. That fooled FaceTime into thinking that the call was active, forcing the camera and microphone of the person you were calling to send data. Apple has promised that a fix for the bug would be issued in a patch this week. The flaw reportedly impacts any iPhone devices running iOS 12.1 or later.
I just replicated the issue - on top of that, if you “join” the call using your invitation on another device (in this case another iPhone) you also get video!! Even though the call is still ringing / not answered on the destination device.— Jessassin (@Jessassin) January 29, 2019
Early on when the flaw was first made public, the only way to protect yourself from being exploited using the bug was to disable FaceTime altogether. Apple has now stepped in and done its part to mitigate the bug by disabling Group FaceTime for all users until the patch is issued. Before Group FaceTime was disabled, the user on the other end had no idea that audio, and potentially video, was being sent to the caller; all the victim saw was the accept or decline button on the screen.
For the user device to send video, they had to press the Power button from the lock screen, but if that button was pressed the user had no idea video was being sent to the person on the other end of the FaceTime call. Reports indicate that the same exploit could be used against a Mac if the iPhone calls the Mac computer and since the Mac rings longer by default, the eavesdropping goes on longer.
In a somewhat ironic twist, just before the Group FaceTime bug was made public, Apple CEO Tim Cook posted the following to Twitter:
Needless to say, that comments in that thread are quite humorous as you could imagine given the circumstances.
....... and FaceTime happens today! 😂 pic.twitter.com/7mFmPN8KlL— Appu (@ApoorvKhairnar) January 29, 2019
(Top Image Courtesy Chris Velazco)