A new feature in the latest iOS 13 beta makes users appear as if they're looking directly at the camera to make eye contact during FaceTime calls, when actually they're looking away from the camera at the image of the other person in the corner of their screen.
The FaceTime Correction Feature as demoed by Will Simon (@Wsig)
The new "FaceTime Attention Correction" feature, first spotted by Mike Rundle on Twitter, can be turned on and off in the FaceTime section of the Settings app, although it only appears to work on iPhone XS and XS Max devices in the third iOS 13 beta sent out to developers on Tuesday.
Why the feature is limited to these devices right now remains unknown. It clearly relies on some form of image manipulation to achieve its results, so maybe the software algorithms require the more advanced processing power of Apple's latest devices.
Rundle predicted in 2017 that FaceTime attention correction would be introduced by Apple in "years to come," but its apparent inclusion in iOS 13, due to be released this fall, has surprised and impressed him.
Back in January, there was a major FaceTime bug that allowed a person to force a FaceTime connection with another person, providing access to the user's audio and sometimes video even when the FaceTime call was not accepted.
The bug led to a lawsuit from Houston lawyer Larry Williams II, who claimed that the vulnerability allowed an unknown person to listen in on sworn testimony during a client deposition.
Williams filed his lawsuit in January, just a day after the bug was publicized, and yesterday, a court ruled in Apple's favor and dismissed the case. The court did not find Williams' argument that the FaceTime vulnerability was "unreasonably dangerous" to be valid, nor did the court believe that he provided sufficient evidence to prove that Apple knew of the defect.
Williams's petition does not allege facts about any available alternative design. He fails to allege facts about the iOS 12.1 software as to whether the defect that allegedly allowed a third party to "eavesdrop" on his group FaceTime call was "unreasonable" for the product's ordinary use. Williams's generalized allegation that the iOS 12.1 software was "unreasonably dangerous" and caused him injury falls short of the Rule 8 threshold.
Williams's petition recites the pleading elements, but it does not allege facts that could show Apple's knowledge of the defect or that Apple could reasonably have foreseen that an unknown third party would listen to Williams's group FaceTime call without his permission.
Williams's claim also fails because he did not state facts that could show that Apple's alleged negligent design or manufacture of the iOS 12.1 software proximately caused his injury.
In the lawsuit, Williams had requested unspecified punitive damages for negligence, product liability, misrepresentation, and warranty breach.
The FaceTime eavesdropping bug was perhaps one of the most serious issues that have affected Apple products in recent history.
There was no way to avoid the malicious FaceTime calls, which exploited a Group FaceTime vulnerability. Apple disabled Group FaceTime server side and kept it unavailable until an update could be released to fix the issue.
The third beta of iOS 12.2, released to developers this morning, includes a fix for the Group FaceTime bug, which also reenables Group FaceTime on devices running the iOS 12.2 beta.
Apple addressed the Group FaceTime bug in the iOS 12.1.4 update released on February 7, but there has been no new iOS 12.2 beta until today, so the Group FaceTime feature has remained unavailable to iOS 12.2 users because the server has been offline.
The FaceTime bug allowed someone to spy on you without your permission or knowledge. By exploiting the bug, a person could initiate a Group FaceTime call with you and then add themselves to the call again to force a Group FaceTime connection, as demoed in the video below.
When the Group FaceTime connection was forced using this method, the bug caused the person to be able to hear the audio on your end, even if you did not answer the call. In fact, on your end, it would continue to look like the standard incoming FaceTime call interface. In some situations, if you pressed the side button to silence a call, it would even give the person access to your video.
Given the severity of the bug, Apple took its Group FaceTime server offline while preparing the iOS 12.1.4 update. Group FaceTime was reinstated on devices running iOS 12.1.4, but it does not work on iOS 12.2 beta 2 or devices with iOS 12.1.3 or earlier installed.
It should be noted that Group FaceTime is still somewhat broken following the update. In iOS 12.1.4, there is no option to add a person to a one on one Group FaceTime call because the "Add Person" button is grayed out. Group FaceTime calls need to be started with two or more people at the current time.
Other users have been unable to use Group FaceTime at all, and have had trouble adding additional people even during a call with more than one person. Apple is presumably working out these bugs and will have further fixes available in the future.
A few weeks ago, Apple's Group FaceTime was discovered to have a major security flaw which potentially allowed users to listen in on others without their permission. The flaw was quickly publicized forcing Apple to shut down FaceTime servers temporarily while a patch was being created. A week later, Apple released iOS 12.1.4 which addressed the security issue and re-enabled Group FaceTime for those users.
Unfortunately, Group FaceTime even under iOS 12.1.4 hasn't quite been restored to its former functionality. A MacRumors forum thread started the day after 12.1.4's release revealed users who found themselves unable to add more users to a FaceTime call. As it turns out, it appears that users are no longer able to add a person to a one-on-one FaceTime call. The "Add Person" button remains greyed out and inactive in this situation. The only way to add another person to a Group FaceTime call at this time is to start the call with at least two other people. This slight distinction appears to be the source of confusion for many users.
MacRumors forum user Bob-K persisted in his support calls with Apple, and was finally told that the "Add Person" button not working in that situation was a known issue and that they didn't know when it would be fixed.
Apple Support on Twitter also appears to be aware of this restriction:
That's good. Also, note that Group FaceTime calls need to be started with at least two additional users in the FaceTime app. Meet us in DM if you're still having an issue with more users: https://t.co/GDrqU22YpT
We were able to reproduce this issue, but it appears this workaround isn't entirely reliable as one user reported being unable to consistently add people even during a group call. A search of Twitter shows a number of users who believe that Group FaceTime remains disabled, though some users may simply be unaware of the iOS 12.1.4 update, or may be confused by the greyed "Add Person" button issue.
Apple is actively working on iOS 12.2 Beta which has not yet seen the addition of the patch for Group FaceTime, but we'd expect them to address the ongoing bugs in a later 12.2 beta release.
In a support document outlining the security content of iOS 12.1.4, Apple credited both 14-year-old Grant Thompson of Catalina Foothills High School in Tucson, Arizona and Daven Morris of Arlington, Texas with reporting a major Group FaceTime bug to the company that allowed users to eavesdrop on others.
The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.
Apple on Thursday said it will compensate the Thompson family for finding and reporting the bug and make an additional gift toward Grant Thompson's education. Apple hasn't disclosed the exact sums of the donations. It's unclear if Morris will also be compensated by the company for reporting the bug.
In a statement issued to MacRumors, Apple apologized for the bug a second time and assured customers that it has been fixed in iOS 12.1.4, as has a previously unreported vulnerability in the Live Photos feature of FaceTime:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
Widely publicized last month, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.
Following the release of iOS 12.1.4, Apple today issued an apology to customers and said that it had found and fixed the Group FaceTime bug and an additional security vulnerability involving Live Photos in the FaceTime app.
From a statement provided to MacRumors:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."
Going forward, Apple says that the Live Photos feature will not be available in FaceTime on older versions of iOS and macOS. Capturing a Live Photo will require iOS 12.1.4 or the new version of macOS 10.14.3. Apple is also restricting Group FaceTime from devices running earlier versions of iOS.
Apple fixed a logic issue that existed in the handling of Group FaceTime calls with improved state management, and the Group FaceTime testing led to the discovery of the Live Photos issue. Apple says that the Live Photos bug was fixed with "improved validation on the FaceTime server."
Additional Foundation and IOKit bugs were fixed in iOS as well, addressing memory corruption issues that could lead to elevated privileges for applications.
Apple lists Grant Thompson of Catalina Foothills High School as one of the people who discovered the FaceTime bug. Thompson and his mother made multiple attempts to get into contact with Apple to inform the company of the bug well ahead of when it went public. Daven Morris of Arlington, TX is also listed as a person who discovered the vulnerability and reported it to Apple.
Apple has apologized for missing those messages and has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people. Apple will be compensating the Thompson family for finding and reporting the bug, and Apple will be providing an additional scholarship to be put towards Thompson's education.
Apple today released a new iOS 12.1.4 update for the iPhone, iPad, and iPod touch, with the new software designed to fix an insidious privacy-invading Group FaceTime bug that could be exploited to eavesdrop on conversations.
The new iOS 12.1.4 software can be downloaded on all eligible devices over-the-air using the Settings app. To download it, go to Settings --> General --> Software update.
Though Apple's release notes for the update list "security updates" without going into specifics, the issue that's being fixed here is the Group FaceTime vulnerability. After the bug was widely publicized last week, Apple promised a fix, which was delayed to this week.
The FaceTime bug allowed someone to spy on you without your permission or knowledge. By exploiting the bug, a person could initiate a FaceTime call with you and then add themselves to the call again to force a Group FaceTime connection.
When this happened, the bug caused the person to be able to hear the audio on your end, despite the fact that the call was never answered and still looked like a standard FaceTime incoming call interface. In some situations, if you pressed the side button to silence a call, it would even give the person access to your video.
It was a serious bug, so serious that Apple took its entire Group FaceTime server offline as the company took the time to prepare the iOS 12.1.4 update. The Group FaceTime bug was publicized last Monday and Group FaceTime has been offline since then.
The Group FaceTime bug may have required some major under-the-hood changes to FaceTime given that it took Apple nearly two weeks to fix the issue. Following today's update, the Group FaceTime bug will no longer be able to be exploited and Apple will be able to bring its Group FaceTime server back online.
It continues to be unclear just how long the Group FaceTime bug was available for. Group FaceTime was introduced last October, and Apple has not let us know if the bug has been around since that launch date or if it was introduced in a later iOS 12 update.
Apple is today releasing an updated version of iOS 12.1.4, which is designed to address a major FaceTime bug that was widely publicized last Monday. The new update comes two weeks after the launch of iOS 12.1.3, an update that introduced bug fixes.
The iOS 12.1.4 update will be available on all eligible devices over-the-air in the Settings app. To access the update, go to Settings --> General --> Software Update. Apple typically releases new iOS software at 10:00 a.m. Pacific Time or 1:00 p.m. Eastern Time, so that's when the update should become available.
With this update, Apple is fixing an insidious FaceTime bug that could allow someone to spy on you without your permission or knowledge. By exploiting this bug, someone could force a FaceTime call with you, giving them access to your iPhone, iPad, or Mac's audio or video even without you accepting the FaceTime call.
To do this, all someone needed to do was initiate a FaceTime call with you and then add their own phone number to the FaceTime call to convert it to a Group FaceTime call, which, apparently, forces a FaceTime connection.
From there, the person would be able to hear your audio, even though on your end, it would look like the call hadn't been accepted. If you hit the power button to make the call go away, it would give the person access to your camera.
In our testing, the bug was able to be initiated on iPhones running both iOS 12.2 and iOS 12.1.3, and it affected iPhones, Macs, and iPads running the latest version of Apple's software.
Shortly after the bug was publicized last Monday, Apple said that it was aware of the issue and was already working on a fix set to be released later in the week, which was later delayed until this week. Apple also temporarily made Group FaceTime unavailable by taking the server offline, which put a stop to the bug. Going forward, Group FaceTime will only be available on devices running iOS 12.1.4 or later.
With today's update, the FaceTime bug will no longer be able to be exploited, though it remains unclear if it has been available for use since Group FaceTime launched in October last year or if it became an issue in a later software update.
The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations.
Energy and Commerce Chairman Frank Pallone Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-IL) today sent a letter [PDF] to Apple CEO Tim Cook questioning the company about how long it took Apple to address the Group FaceTime flaw, the extent to which the flaw compromised consumer privacy, and whether there are other undisclosed bugs in existence.
"While these are wonderful tools when used right, the serious privacy issue with Group FaceTime demonstrates how these devices can also become the ultimate spying machines. That is why it is critical that companies like Apple are held to the highest standards," Pallone and Schakowsky wrote to Cook. "Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers."
The two representatives ask Apple to be transparent about the investigation into the Group FaceTime vulnerability, and the steps that are being taken to protect consumer privacy going forward. Apple has not been as transparent as "this serious issue requires," according to the letter.
Pallone and Schakowsky ask Apple a number of key questions, including the following:
When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call? Did your company identify the vulnerability before being notified by Mr. Thompson's mother?
Did any other customer notify Apple of the vulnerability?
Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
What steps are being taken to identify which FaceTime users' privacy interests were violated using the vulnerability? Does Apple intend to notify and compensate those consumers for the violation?
When will Apple provide notification to affected consumers?
Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?
Apple CEO Tim Cook will be expected to provide answers to the questions provided in the letter.
The FaceTime vulnerability came to light last Monday after details spread across social media and news sites quickly picked it up. The bug allowed a person to force a FaceTime call with another person, giving them access to the audio (and sometimes video) from an iPhone, iPad, or Mac without the person ever accepting the FaceTime call.
Apple disabled Group FaceTime on its servers to prevent the bug from being used, and the company is still working on an iOS 12.1.4 update that we are expecting to see this week.
While Apple addressed the bug after it went viral on social media, the company was informed of the issue at least a week before when a teenager discovered it and his mother attempted to contact Apple. Though she sent in multiple reports, they did not go to the right people, and Apple has since apologized and said it is committed to improving the bug reporting process.
"We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week," said Apple in a statement issued to MacRumors and other media outlets.
Widely publicized on Monday, the FaceTime bug allowed one person to call another person via FaceTime, slide up on the interface and enter their own phone number, and automatically gain access to audio from the other person's device without that person accepting the call. In some cases, even video was accessible.
Apple's full statement issued to MacRumors:
We have fixed the Group FaceTime security bug on Apple's servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone's patience as we complete this process.
We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
The bug will presumably be fixed in a subsequent iOS 12.2 beta as well.