Apple has turned its Group FaceTime feature back on following the release of iOS 12.1.4 for iPhone, iPad, and iPod touch. Apple manually disabled the feature over a week ago after a privacy bug was discovered with Group FaceTime that allowed eavesdropping between FaceTime users.
Apple has also shared an on-the-record statement confirming the fixes are in place:
“Today’s software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.”
The company will also compensate the family credited with discovering and disclosing the bug, including helping pay for the education of the teenager who found the flaw while playing Fortnite.
By taking the server that handles Group FaceTime calls offline on January 28th, Apple prevented anyone from taking advantage of the privacy bug after it was publicly disclosed.
The bug allowed you to hear audio captured by the device of the person you were calling after you added yourself to a Group FaceTime call before they answered. Video of the call recipient would also be sent without permission if they declined the call with the power button on the iPhone or iPad.
Today’s iOS 12.1.4 software update includes a fix for the eavesdropping bug which has allowed Apple to take Group FaceTime back online. Apple details the security updates included in iOS 12.1.4 here. While the release notes for the software update don’t specifically mention FaceTime, the security document for the update does, including a credit for the teenager who discovered the bug:
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: The initiator of a Group FaceTime call may be able to cause the recipient to answer
Description: A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management.
CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX
Apple says a security audit to FaceTime also uncovered a security issue with Live Photos on FaceTime.
As for customers on older software versions, Group FaceTime will remain disabled despite the server that handles calls going back online. This step is a precaution that will protect customers who haven’t updated to the latest version of iOS yet while allowing customers who have updated to continue using Group FaceTime.
Apple’s latest iOS 12.2 software beta for developers and public beta testers should include the same fix, and Mac users should look for a supplemental update to macOS 10.14.3 out today as well — although your mileage may vary on the Mac; Group FaceTime is still not working for us in testing after updating including on the latest macOS 10.14.4 beta.
Group FaceTime enables video calls between up to 32 devices, marking the first time FaceTime video calls have expanded between one-on-one calls. Apple initially demoed the feature as part of iOS 12 last summer, then delayed the feature until iOS 12.1 later in the year.
Group FaceTime will now require iOS 12.1.4 or later to work, disabling the feature on iOS 12.1 through iOS 12.1.3 which were all affected by the bug.
Properly processing group updates now 😝 pic.twitter.com/ecFQgNQ7ip
— Khaos Tian (@KhaosT) February 7, 2019