Posted on 02/07/2019 3:28:12 PM PST by Swordmaker
Apple today released a new iOS 12.1.4 update for the iPhone, iPad, and iPod touch, with the new software designed to fix an insidious privacy-invading Group FaceTime bug that could be exploited to eavesdrop on conversations.
The new iOS 12.1.4 software can be downloaded on all eligible devices over-the-air using the Settings app. To download it, go to Settings --> General --> Software update.
Though Apple's release notes for the update list "security updates" without going into specifics, the issue that's being fixed here is the Group FaceTime vulnerability. After the bug was widely publicized last week, Apple promised a fix, which was delayed to this week.
The FaceTime bug allowed someone to spy on you without your permission or knowledge. By exploiting the bug, a person could initiate a FaceTime call with you and then add themselves to the call again to force a Group FaceTime connection.
When this happened, the bug caused the person to be able to hear the audio on your end, despite the fact that the call was never answered and still looked like a standard FaceTime incoming call interface. In some situations, if you pressed the side button to silence a call, it would even give the person access to your video.
It was a serious bug, so serious that Apple took its entire Group FaceTime server offline as the company took the time to prepare the iOS 12.1.4 update. The Group FaceTime bug was publicized last Monday and Group FaceTime has been offline since then.
The Group FaceTime bug may have required some major under-the-hood changes to FaceTime given that it took Apple nearly two weeks to fix the issue. Following today's update, the Group FaceTime bug will no longer be able to be exploited and Apple will be able to bring its Group FaceTime server back online.
It continues to be unclear just how long the Group FaceTime bug was available for. Group FaceTime was introduced last October, and Apple has not let us know if the bug has been around since that launch date or if it was introduced in a later iOS 12 update.
If you want on or off the Mac Ping List, Freepmail me.
ROTFLMAO! Only for elected Democrat political leaders. Republicans who did such a things would be drawn and quartered before given a chance to honorably commit suicide.
I hear it has a back door entrance for the FBI, it’s called the Roger Stone Easter Egg.
Apple to compensate teenager who found Group FaceTime eavesdrop bug
TechCrunch, February 7, 2019 Zack WhittakerApple has said it will compensate the teenager who first found a security bug in Group FaceTime that allowed users to eavesdrop before a call was picked up.
The bug was initially reported to Apple by 14-year-old Grant Thompson and his mother, but the family struggled getting in contact with the company before the bug was discovered elsewhere and went viral on social media.
The payout will fall under Apples bug bounty, which incentivizes security researchers to claim a reward for privately submitting security bugs and vulnerabilities to the company. Apple will also offer an unspecified additional gift to Thompsons education.
In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security, an Apple spokesperson told TechCrunch. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.
To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS, said Apple.
Apple rolled out iOS 12.4.1 on Thursday, which Apple says provides important security updates and is recommended for all users. The companys separate security advisory also credited Thompson with finding the bug.
Glad to see this finally fix after being available in the wild for several months.
The vulnerability may have existed in the wild, but was not much of a threat as the device kept ringing for attention at the end you could supposedly eavesdrop on. If someone were there, theyd notice. . . and either answer or decline the conference call, ending the potential eavesdropping.
You can down play out all you want. But it didn’t ring the whole time and you know it. Plus if the call was dismissed video was still going.
It was one of the worst bugs ever. Probably worse than sql slammer.
No, the video was not "still going". The video never started unless the call was answered. There was one report that claimed that video was activated when someone dismissed the call, but hat was NOT confirmed or duplicated by anyone. . . only audio before answer or dismissal, and the attention ring did continue until either answered or dismissed. To get to even that the caller had to ALSO attempt to initiate a call to their own number or ID they started the original call from AND another completed and connected FaceTime call had to be already connected with someone else, before trying the one an attempted eavesdropping will be tried. The odds are very minuscule that youd ever get anyone who would not answer who was there that you could surreptitiously listen in on.
You dont use Apple product so you just make claims you know nothing about.
The vulnerability was quite limited as the time of eavesdropping was quite short. . . and made people aware they were being paged to a FaceTime call.
It was not "one of the worst bugs ever," except for you Apple Hate Brigade members. The FaceTime group servers were shut as soon as Apple was made aware of this vulnerability. You can try as hard as you want to make that claim, but it simply wasnt the case. SQL Slammer was a worm that hundreds of thousands perhaps millions of Windows computers, especially servers, in the space of minutes from its release into the wild. As near as can be determined, no malicious use of the FaceTime vulnerability has been reported in the short time it was known. Any audio information that could have been gleaned in such a manner by the FaceTime vulnerability would be purely coincidental and incidentally overheard compared to the heavy data streams and financial data that were stolen as a result of the SQL Slammer worm.
Thanks, Sword, I updated my iPhone5S but it’s effected speed or something. Oh well. BTW, Apple replace my keyboard gratis on Macbook 2017 due to sticky key problem. Working fine now, although it drags a bit on start-up (since updating Sierra like the iPhone).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.