In March 2022, Apple patched a privacy vulnerability in FaceTime that let users unintentionally send audio and video during calls. This issue is tracked as CVE-2022-22643 and impacted iOS, iPadOS, and macOS users. Here, we’ll break down the bug, how it worked, and how it was fixed—using simple, clear language just for you. We also provide example code, direct references, and easy-to-understand exploit details.
What Was CVE-2022-22643?
CVE-2022-22643 is a privacy flaw in Apple’s FaceTime that allowed a user to send audio and video without their knowledge – for example, before they officially wanted the call to start. This happened because FaceTime’s checks weren’t good enough in some edge-cases. If you received a call, your camera or microphone might turn on, even if you hadn’t answered yet.
macOS Monterey 12.3
Risk: Your private conversations or any visible background could be exposed to someone else—without you realizing you've started sharing.
Technical Background and How the Bug Worked
With FaceTime, Apple uses some logic to only enable audio/video streaming after a user answers. In this bug’s case, a gap between the user interface (UI) and the real “streaming” state let audio/video leak prematurely.
Simplified Example Code (Pseudocode)
// This pseudocode shows what SHOULD happen:
if userPressedAcceptButton {
startAudioVideoTransmission()
}
But with this bug, transmission could start before the button was pressed, due to a missing check or a race condition:
// Before the fix, due to improper checks:
if callInbound {
// Audio/video transmitter starts too soon!
startAudioVideoTransmission() // This should wait for user's action.
}
In simple terms:
Imagine someone calls you on FaceTime. Instead of waiting for *you* to accept, FaceTime started streaming your audio/video as soon as the call came in, even if you hadn't touched the "accept" button yet.
Exploit Details (How Could Someone Abuse This?)
The reported exploit is user-to-user: if attacker Alice FaceTimes victim Bob, Bob’s audio and video might start streaming to Alice before Bob accepts the call—if the bug is present.
- There’s no code injection or “remote attack” in the classic sense; it’s a flaw in FaceTime’s privacy handling.
- The attacker just needs to call—or sometimes make repeated or grouped FaceTime calls—to trigger the bug and view/listen to the victim's environment.
Attacker opens FaceTime and dials the victim.
2. Due to the bug, the victim’s audio/video is active as soon as the call is incoming.
The Fix: Improved Checks
Apple patched the issue by making sure FaceTime waits for clear user consent (button press, swipe, etc.) before starting any transmission.
Original Apple Security Release:
> “This issue was addressed with improved checks.”
> – Apple Security Updates (March 2022)
To check your version
- Go to Settings > General > About (on iPhone/iPad)
Or Apple Menu > About This Mac (on Mac)
If you’re running something older, update _immediately_!
References
- Official CVE Entry: CVE-2022-22643
- Apple Security Update Notes
- HT213182: Apple security updates (iOS/iPadOS 15.4)
- HT213183: macOS Monterey 12.3 security notes
Conclusion
Phone and video calls are private, but software bugs can be tricky. CVE-2022-22643 shows how even small mistakes can lead to big privacy risks—your camera or microphone could turn on without you knowing.
Apple’s fix—better checks—makes sure only YOU control when audio and video starts. As always, keep your devices updated for the latest protection.
Please tell friends and family about this bug if you know Apple users who rarely update!
Timeline
Published on: 03/18/2022 18:15:00 UTC
Last modified on: 03/24/2022 14:56:00 UTC