Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

New York Investigating Apple’s Response to FaceTime Spying Bug

New York authorities have announced the launch of an investigation into the recently disclosed FaceTime vulnerability that can be exploited to spy on users. The probe focuses on Apple’s failure to warn customers and the company’s slow response.

New York authorities have announced the launch of an investigation into the recently disclosed FaceTime vulnerability that can be exploited to spy on users. The probe focuses on Apple’s failure to warn customers and the company’s slow response.

Videos and posts describing the flaw started making rounds earlier this week on social media websites. The mother of a 14-year-old from Arizona claimed her son had identified the bug and that they had attempted to inform Apple more than 10 days before details of the hack became public. She claimed the tech giant ignored their responsible disclosure attempts, which included calls, messages on social media, emails and even faxes.

The vulnerability is easy to exploit and it does not require any technical knowledge. The attacker simply calls the targeted user via FaceTime and then immediately initiates a group chat by using the “Add person” button from the bottom of the screen. If the attacker adds their own number to the group chat they start hearing what the victim says even if they haven’t actually answered the call.

FaceTime bug allows spyingThe victim continues to see the incoming call (i.e. the screen where they can accept or decline the call) and there is no indication that the person on the other end can hear them. Furthermore, if the victim presses the power button on their device, they give the attacker access to their camera as well.

The vulnerability appears to affect FaceTime on both iOS and macOS. Apple has promised to release a fix sometime this week and in the meantime it has suspended the Group FaceTime feature to prevent abuse.

The bug poses serious privacy concerns and New York Governor Andrew M. Cuomo and Attorney General Letitia James have decided to launch an investigation into Apple’s failure to warn customers and its slow response. The Department of State’s Division of Consumer Protection is accepting complaints from consumers as part of this investigation.

“In the wake of this egregious bug that put the privacy of New Yorkers at risk, I support this investigation by the Attorney General into this serious consumer rights issue and direct the Division of Consumer Protection to help in any way possible,” Governor Cuomo said. “We need a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”

Attorney General James commented, “This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years. My office will be conducting a thorough investigation into Apple’s response to the situation, and will evaluate the company’s actions in relation to the laws set forth by the State of New York. We must use every tool at our disposal to ensure that consumers are always protected.”

In another part of the United States, in Texas, a lawyer has filed a lawsuit against Apple claiming that the FaceTime vulnerability was exploited to record a client’s private deposition.

Advertisement. Scroll to continue reading.

“Plaintiff was undergoing a private deposition with a client when this defective product breach allowed for the recording of a private deposition,” the complaint reads. “The Product was used for its intended purposes because Plaintiff updated their phone for the purpose of group Facetime calls but not unsolicited eavesdropping. Plaintiff suffered injuries.”

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.