A big iOS vulnerability was found that lets callers access the microphone and front camera of the user they are calling, without them answering the call. There is no clear source of who discovered the bug first, but numerous people confirmed it in social networks posting video demonstrations of abusing the bug.
To abuse the vulnerability, the caller would FaceTime a victim with an iOS device and before he answers, add themselves as an additional contact to Group FaceTime. Doing this will cause victim’s microphone to turn on and allow the caller to listen to them without their permission. And if the victim presses the power button to mute the call, the front camera would turn on as well.
This issue is confirmed to happen with 12.1.12 iOS. Google Watch produced a slightly different results – it seems impossible to get the caller’s audio, but the camera part of the glitch works just fine.
The bug was first reported by 9to5Mac and then by BuzzFeed.
Apple reacted to reports stating that they are aware of the issue and will fix it in an update that will be released later this week.
Natalie Silvanovich, a Google Project Zero security researcher, who has discovered a numerous FaceTime problems in the past, shared a theory explaining the bug: “FaceTime stores call participants in a list that doesn’t allow duplicates, and uses the indexes for signaling. When the caller is added a second time, the entry at index 1 is set to answered, with the expectation that it is the caller”.
It is strongly suggested to disable FaceTime until Apple releases the fix, so you can be protected from accidentally sharing the information without knowing by getting the FaceTime call. To disable it, go to your settings -> FaceTime -> toggle the FaceTime switch so it is disabled.