There’s a nasty FaceTime vulnerability that allows anyone to turn an iPhone into a surveillance tool. Exploiting the vulnerability couldn’t be easier (its so easy a child can do it). Just FaceTime the victim, then while the phone is ringing swipe up and add your number as another party on the call. This activates the microphone on the remote phone (as seen below).
Update: Per Ina Fried from Axios, it appears that Apple has made the FaceTime groups feature temporarily unavailable. This should be an effective stopgap measure ahead of the patch, but the feature will eventually be re-enabled and organizations need a plan for how they’ll treat iOS devices in their threat landscape.
While this is an obvious privacy issue for users, it can be a much bigger deal for organizations. Since there’s no easy way to know whether a phone has FaceTime disabled, iPhones should probably be restricted from sensitive meetings for the short/mid-term future. Of course there’s an argument that should have always been the case with any mobile phone, but that’s a different argument for a different time.
If your organization has MDM, now is the time to disable FaceTime remotely. Organizations without MDM may want to use this as a case study for why it is needed.
It’s important to note that FaceTime is also supported on MacOS, so if you have corporate Mac users in your environment, you should disable that too until there’s a patch.
Apple likely won’t have a patch for this vulnerability until later this week, so in the meantime, it may be prudent to consider any iPhone and Mac a listening device. Is that over the top? It depends on your threat model. Attackers will certainly capitalize on this in the coming days (hours) knowing that they will blend into the noise of others doing the same.
Evaluating the risk of this vulnerability is particularly difficult because there’s no way to know just by looking at a phone whether FaceTime is disabled and whether it is patched (once a patch is available). This is in contrast to older model iPhones for instance that don’t support newer iOS versions.
Once the immediate threat has passed, this event should be used to spark threat modeling discussions around the risks that mobile devices (both enterprise managed and BYOD) can bring to organizations.
If you think attackers have used this vulnerability to target your organization, please reach out to Rendition Infosec and we can help you investigate.