FaceTime Vulnerability Allows Unauthorized Access to iPhone Mic

twitter logo github logo ・1 min read

This is a wild bug.

Full story

The bug in FaceTime allows users to dial one of their contacts and listen in to the recipient's microphone before the person actually answers the call. This can be accomplished by using the "add a person" feature after dialing the contact and then adding your own number as the other person.

Not even difficult to pull off.

twitter logo DISCUSS (4)
markdown guide
 

I found some interesting discussion about this on (I think) HN. Apparently this is indicative that the connection and sharing of video/audio feed happens before the recipient accepts. I get the point of this - it takes some time to establish that connection, and they don't want users to have to wait those 1-2 seconds after clicking "accept". However, it really should just be worth that small connection time to completely shut off the chance of any more exploits of this caliber.

 

A source on Twitter has stated that Apple has turned off the Facetime servers for all users and is working on a patch that will be released later in the week. As well as The Verge has come out with a post stating that it can be done with video calls.

I do have to wonder, Apple has been notoriously known for their exceptional security but with this issue coming to the surface could there be more exploits that are going to be found soon? Security researchers spend months if not years working on just one exploit (exclusively with Apple it can take a long time) but could this cause a purge of professionals trying to find more issues like this? Or even worse ones?

 

Security researchers should always be looking for the easiest entry point for an exploit, beginning with bugs in the UI like this Facetime one. You have to wonder how long this exploit existed before someone found it though. Perhaps people have become too trusting that Apple's core infrastructure is secure.

 

Trying to explain this to my non-tech friends and family has been a nightmare.

Classic DEV Post from Jun 1

Demystifying Open Source Contributions

Ben Halpern profile image
A Canadian software developer who thinks he’s funny.

Tip: You can configure your dev.to reading experience, such as using sans serif fonts.

Go to your the "misc." section of your settings.

Customize dev.to