Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Lawmakers Concerned About Apple’s Handling of FaceTime Spying Bug

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

In a letter sent to Apple CEO Tim Cook, Democrats Frank Pallone and Jan Schakowsky, both members of the House’s Committee on Energy and Commerce, have asked the tech giant for more transparency on its investigation into the FaceTime bug.

Apple has been given until February 19 to answer several questions, including when it first learned about the FaceTime vulnerability, the steps taken to address the issue, what procedures are in place to identify such flaws prior to release of a product and why did those procedures fail in this case, and why it has taken so long to release a patch.

Lawmakers ask Apple about FaceTime bugLawmakers also want to know if steps are being taken to identify users whose “privacy interests were violated as a result of this vulnerability,” and if Apple plans on notifying and compensating them.

Finally, Pallone and Schakowsky want to know if Apple is aware of other vulnerabilities that could give someone access to a device’s microphone and/or camera.

The FaceTime bug, discovered by a 14-year-old from Arizona, allows an attacker to spy on FaceTime users through their microphone and camera simply by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker can hear and possibly even see the victim, on the victim’s side it appears as if the call still hasn’t been answered.

Apple suspended the Group FaceTime feature after the bug was disclosed, but a lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.

Grant Thompson, the teen who discovered the vulnerability, and his mother attempted to report the findings to Apple for more than ten days before the flaw’s existence became public, but they said their attempts were ignored.

A few days after public disclosure, Apple implemented a server-side fix and promised to roll out a software update sometime this week.

Advertisement. Scroll to continue reading.

While Thompson would normally not qualify for a bug bounty, CNBC reported that a high-level Apple executive met with the Thompsons and suggested that the company could make an exception in this case.

Authorities in New York have launched their own investigation into this incident. The probe, announced last week by New York’s governor and attorney general, focuses on Apple’s failure to warn customers and the company’s slow response.

It’s clear that Apple needs to make improvements to its vulnerability reporting process and its bug bounty program. Another example involves Germany-based Linus Henze, who earlier this week published a video demonstrating a macOS vulnerability that can be exploited to steal passwords from the Keychain. The researcher has refused to provide Apple full details of the security hole due to the fact that his findings are not covered by the company’s bug bounty program.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...