Lawmakers Concerned About Apple's Handling of FaceTime Spying Bug

Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

In a letter sent to Apple CEO Tim Cook, Democrats Frank Pallone and Jan Schakowsky, both members of the House’s Committee on Energy and Commerce, have asked the tech giant for more transparency on its investigation into the FaceTime bug.

Apple has been given until February 19 to answer several questions, including when it first learned about the FaceTime vulnerability, the steps taken to address the issue, what procedures are in place to identify such flaws prior to release of a product and why did those procedures fail in this case, and why it has taken so long to release a patch.

Lawmakers ask Apple about FaceTime bugLawmakers also want to know if steps are being taken to identify users whose “privacy interests were violated as a result of this vulnerability,” and if Apple plans on notifying and compensating them.

Finally, Pallone and Schakowsky want to know if Apple is aware of other vulnerabilities that could give someone access to a device’s microphone and/or camera.

The FaceTime bug, discovered by a 14-year-old from Arizona, allows an attacker to spy on FaceTime users through their microphone and camera simply by calling the targeted user and adding the attacker’s own number to a group chat. While the hacker can hear and possibly even see the victim, on the victim’s side it appears as if the call still hasn’t been answered.

Apple suspended the Group FaceTime feature after the bug was disclosed, but a lawyer from Texas has filed a lawsuit against the company, claiming that the vulnerability was exploited to record a client’s private deposition.

Grant Thompson, the teen who discovered the vulnerability, and his mother attempted to report the findings to Apple for more than ten days before the flaw’s existence became public, but they said their attempts were ignored.

A few days after public disclosure, Apple implemented a server-side fix and promised to roll out a software update sometime this week.

While Thompson would normally not qualify for a bug bounty, CNBC reported that a high-level Apple executive met with the Thompsons and suggested that the company could make an exception in this case.

Authorities in New York have launched their own investigation into this incident. The probe, announced last week by New York’s governor and attorney general, focuses on Apple’s failure to warn customers and the company’s slow response.

It’s clear that Apple needs to make improvements to its vulnerability reporting process and its bug bounty program. Another example involves Germany-based Linus Henze, who earlier this week published a video demonstrating a macOS vulnerability that can be exploited to steal passwords from the Keychain. The researcher has refused to provide Apple full details of the security hole due to the fact that his findings are not covered by the company’s bug bounty program.

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Related: Apple Patches Passcode Bypass, FaceTime Flaws in iOS

Related: iOS Lockscreen Bypass Abuses New Group FaceTime Feature

Original author: Eduard Kovacs