Security Experts:

Connect with us

Hi, what are you looking for?



Lawmakers Concerned About Apple’s Handling of FaceTime Spying Bug

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

In a letter sent to Apple CEO Tim Cook, Democrats Frank Pallone and Jan Schakowsky, both members of the House’s Committee on Energy and Commerce, have asked the tech giant for more transparency on its investigation into the FaceTime bug.

Apple has been given until February 19 to answer several questions, including when it first learned about the FaceTime vulnerability, the steps taken to address the issue, what procedures are in place to identify such flaws prior to release of a product and why did those procedures fail in this case, and why it has taken so long to release a patch.

Lawmakers ask Apple about FaceTime bugLawmakers also want to know if steps are being taken to identify users whose “privacy interests were violated as a result of this vulnerability,” and if Apple plans on notifying and compensating them.

Finally, Pallone and Schakowsky want to know if Apple is aware of other vulnerabilities that could give someone access to a device’s microphone and/or camera.

The FaceTime bug, discovered by a 14-year-old from Arizona, allows an attacker to spy on FaceTime users through their microphone and camera simply by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker can hear and possibly even see the victim, on the victim’s side it appears as if the call still hasn’t been answered.

Apple suspended the Group FaceTime feature after the bug was disclosed, but a lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.

Grant Thompson, the teen who discovered the vulnerability, and his mother attempted to report the findings to Apple for more than ten days before the flaw’s existence became public, but they said their attempts were ignored.

A few days after public disclosure, Apple implemented a server-side fix and promised to roll out a software update sometime this week.

While Thompson would normally not qualify for a bug bounty, CNBC reported that a high-level Apple executive met with the Thompsons and suggested that the company could make an exception in this case.

Authorities in New York have launched their own investigation into this incident. The probe, announced last week by New York’s governor and attorney general, focuses on Apple’s failure to warn customers and the company’s slow response.

It’s clear that Apple needs to make improvements to its vulnerability reporting process and its bug bounty program. Another example involves Germany-based Linus Henze, who earlier this week published a video demonstrating a macOS vulnerability that can be exploited to steal passwords from the Keychain. The researcher has refused to provide Apple full details of the security hole due to the fact that his findings are not covered by the company’s bug bounty program.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.