Apple’s FaceTime vulnerability has caused widespread concern to Apple users and this has caused the New York government to commence an investigation. The FaceTime vulnerability subjects users to privacy issues once the call is connected. This is to say that, as soon as you start getting the call notification, the caller can already hear all your conversation even before you answer the call. In fact, the caller can get video details once he holds the power/volume button even though you haven’t answered the call. On Tuesday, two US House Democrats, Frank Pallone and Jan Schakowsky, in a letter to Apple CEO Tim Cook, asked Cook to answer six questions about Apple’s FaceTime privacy flaw:
- When did your company first discovered the FaceTime group chat vulnerability, which allowed individuals to access the device’s camera and microphone before accepting a FaceTime call? Did your company determine the vulnerability before being notified by the mother of Mr. Thompson (a 14-year-old boy who discovered the Apple FaceTime vulnerability)? Are there other customers notifying Apple of this vulnerability?
- Please provide a timeline that specifies exactly what steps have been taken and when to take action to resolve the initially identified vulnerability.
- What product testing processes are available to identify these vulnerabilities before they are released? Why did your previous test procedures not find these vulnerabilities in advance? What steps is Apple taking to improve the product testing process?
- Why did your company take such a long time to resolve the vulnerability of the FaceTime group chat function after the report sent by Mr. Thompson’s mother to Apple?
- How does Apple determine which FaceTime users’ privacy rights have been violated? Does Apple intend to notify and compensate these users? When does Apple provide notification to affected consumers?
- Are there other vulnerabilities in Apple devices and applications that are currently likely to result in unauthorized access to the microphone and camera?
Overall, Frank Pallone and Jan Schakowsky said in the letter that they are “deeply upset” about how long it takes for Apple to resolve security breaches. They want to know when Apple first learned about this issue, and to what extent this vulnerability could affect consumer privacy and whether there are other undisclosed unresolved vulnerabilities.
Earlier, Apple apologized for the FaceTime vulnerability and said they had fixed the group Facetime vulnerability on the server side and will push the patch as soon as possible. At the same time, Apple confirmed that the FaceTime group chat feature will be permanently disabled on iOS 12.1 to iOS 12.1.3. In order to use this feature, users need to update their iPhone, iPad or iPod touch to iOS that may be pushed next week.