Today, Apple issued an update to iOS that fixes the serious bug that we reported on last week, which could be exploited to eavesdrop on someone using FaceTime. With iOS 12.1.4 in place, Apple has turned Group FaceTime back on server-side too, but it will only work with the updated version of iOS and later releases.
In a statement to MacRumors, BuzzFeed, and other media outlets Apple said:
Today's software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
In the security update notes released alongside the update, Apple credits Grant Thompson, the teenager who first reported the bug, along with Daven Morris of Arlington, Texas.
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: The initiator of a Group FaceTime call may be able to cause the recipient to answer
Description: A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management.
CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX
According to Nicole Nguyen of BuzzFeed, Apple is also compensating Thompson’s family and making a gift towards his education:
Apple’s comment on today’s software update, which includes a fix to the Group FaceTime big. The company is also compensating the Thompson fam for reporting the flaw and contributing a gift to the teen, Grant Thomspson,’s education pic.twitter.com/uGNAQ9fFoq
— nic nguyen (@itsnicolenguyen) February 7, 2019