The vulnerability allows an attacker to obtain victim audio before the victim answers a FaceTime call, causing user privacy to be compromised.
It’s also very easy to exploit this vulnerability:
- Start a FaceTime Video call with an iPhone contact.
- Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.
- Add your own phone number in the Add Person screen.
- You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
This vulnerability affects 12.1 and higher IOS devices. We have confirmed the affected models:
- iPhone X
- iPhone XR
- iPhone XS
- iPhone XS max
Because the vulnerability is based on Group FaceTime, Macbook, Macbook Pro, and Macbook Air are affected.
Apple has suspended the FaceTime service, but some devices can still reproduce the vulnerability due to regional and system versions. We recommend that users temporarily disable FaceTime. In view of the seriousness of this problem, Apple immediately issued a statement saying that a new version will be released this week for repair, so users are also requested to wait.