An apparent bug in FaceTime’s new group chat function allowed callers to remotely activate the microphone on another person’s iPhone, iPad or Mac without that person’s knowledge and hear whatever sounds the microphone picked up.
More than a week ago, a Twitter user — described by consumer technology website CNET as a Tuscon lawyer named Michele Thompson — said that her teenage son had found the problem and that she’d submitted a bug report to Apple. The user’s tweets flagged Apple customer service, Fox News and, a day later, Apple Chief Executive Tim Cook, and they expressed frustration about not hearing back from the company.
Then others on social media began posting videos demonstrating how to use the FaceTime app to eavesdrop, and this Monday, technology news website 9to5Mac published an article about the problem.
Following the report, Apple disabled FaceTime’s group chat function Monday evening and said it was working on a patch. “We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” it said in a statement.
Apple did not immediately respond to a Times email asking when the company became aware of the bug.
The problem is a black eye for Apple, which has promoted itself as being more conscientious about user privacy than rival tech giants. On Monday, before news of the bug exploded, Cook noted in a tweet that it was Data Privacy Day and that everyone should “insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.”
Apple’s system status page on Tuesday indicated that that “Group FaceTime is temporarily unavailable.” That “ongoing issue” with the service began Monday night, according to the status page.
Before Apple yanked the buggy feature, the eavesdropping process involved placing a FaceTime video call and then adding your own phone number as an additional participant while the call was dialing. A group FaceTime call would start at that point, and the microphone on the device of the call’s original recipient would be activated even if that person hadn’t accepted the call.
Additionally, if the recipient of the call pressed the power button, they would unknowingly send a live video feed to the caller. The Times independently replicated the feature Monday evening before it was pulled.
New York Gov. Andrew Cuomo said the bug was “an egregious breach of privacy” and, in a statement, called on Apple to fix the problem “without delay.” He also urged New Yorkers “to disable their FaceTime app until a fix is made available.”
Apple says protecting user data is baked into its business model: Unlike Facebook Inc., Alphabet Inc.’s Google and other tech giants, Apple gets most of its revenue from selling hardware to consumers, not from selling targeted advertising space to third parties. Therefore, Apple contends, people don’t have to worry that it will peddle their personal data to boost ad revenue.
Apple does admit to collecting information about users’ behavior to improve some of its features. But the company says it aggregates and “scrambles” millions of users’ data together to look for general patterns, not specific individuals’ traits.
“These patterns help us identify things like the most popular emoji, the best QuickType [predictive text] suggestions, and energy consumption rates in Safari,” Apple says on its website.
U.S. lawmakers increasingly have been turning their attention on the practices of high-tech companies. Last summer, top Republicans on the House Energy and Commerce Committee sent letters to Apple and Google seeking details about how much the tech giants track smartphone users’ locations and collect snippets of audio from requests to voice assistants such as Apple’s Siri.
©2019 Los Angeles Times. Distributed by Tribune Content Agency, LLC.
