FaceTime had a major security bug with receiving calls. So, how private is our audio?

By Francisco Martinez


Johnny Hartman saw the rumors swirling around the internet.


The claim: People can use Apple's Group FaceTime function to overhear another person without them needing to answer or decline the call. And for Hartman, these rumors had begun appearing on his social media feeds.


The best way to prove or debunk an internet rumor, he figured, is to do it yourself.


Hartman, an architecture junior at Cal Poly, put what he saw online to the test with his friend on the other line.


"I then tried it by FaceTiming my friend and could hear her, even though she didn't answer," Hartman said. In order to experience this bug, users making a FaceTime call to another person added their own phone number to create a group FaceTime. From there, users were able to hear the other person on the line without them needing to accept or decline the call.


"I was fairly shocked, but not completely surprised," Hartman said about his ability to reproduce the rumored effect. "People find bugs in tech all the time."


Apple disabled its Group FaceTime function after many users, including Hartman, reported the vulnerability working, thus allowing the users to hear the other end of the call. The bug was initially discovered by 14-year-old Grant Thompson.


Thompson and his mother, Michele, revealed to CNBC that he discovered the bug accidentally as he tried to set up a group FaceTime session with friends before playing the popular "Fortnite" video game.


His discovery brought up many questions as to whether Apple is taking sufficient steps to ensure privacy at a consumer level.


A statement released by the company to 9to5Mac, which broke the original report about the bug, says that the corporation is "committed to continuing to earn the trust Apple customers place in us" after the company took down the Group FaceTime feature as a result.


Apple released iOS 12.1.4 and macOS Mojave 10.14.3 that patched the bug on Feb. 7.


While Hartman was shocked by the results that came from his experiment, the results will not deter him from using the feature in the future.


"I still use [FaceTime] regularly," Hartman said.


In addition to the Group FaceTime bug that was proven real, other bug rumors circulated around the internet as a result. From confirmed rumors such as security vulnerabilities with Live Photos integration on FaceTime to AirPods assisting in eavesdropping, the rumors circulating online about other possible bugs were endless.


"I also heard that if you do something with the volume buttons, it accesses the person's front camera," Hartman said. "But I could not get that to actually work."


Whether previously confirmed to be a vulnerability, or just another rumor circulating the grapevines, these issues brought up questions regarding Apple's security measures, and how this vulnerability was overlooked before being released to the market.


"In the 21st century, you have no right to privacy," said Martin Minnich, program manager at the California Cybersecurity Institute. The possibility of these bugs occurring is now a part of the risk consumers make when using them, he said. "The technology has superseded the right to privacy."


Apple's focus on trying to make FaceTime as user friendly as possible has led to a vulnerability on the user experience side, Minnich explained, adding that it's possible that the "always on" setting many apps have has made it easier to access information.


"For FaceTime, where most people are logged onto all the time, the permission feature needed to be added for one additional step to be online," Minnich said. "That's what I'm seeing."


In addition to the recent events, Minnich pointed out the lack of security awareness that exists on the consumer side. He noted the complex language that exists in terms of services — as seen with those of Apple and Facebook — makes it so that users do not know what data they are giving away.


"I would say, be aware of your settings and your tools and your services," Minnich said.

Related Content