U.S. House questions Apple over FaceTime flaw

Posted:
in General Discussion edited February 2019
Two members of the U.S. House of Representatives called on Apple CEO Tim Cook to answer questions about the company's FaceTime fiasco on Tuesday, saying they were "deeply troubled" by press reports detailing how long it took the company to address what is characterized as a privacy violation.

Group FaceTime


In a letter addressed to Cook, House Energy and Commerce Chairman Frank Pallone (D-NJ) and Representative Jan Schakowsky (D-IL) inquire about the origins of Apple's Group FaceTime bug and its impact on customer privacy. Pallone and Schakowsky also ask if there are other flaws in the videotelephony product that have not been disclosed to the public.

Citing smartphone usage statistics, with a heavy emphasis on distribution among children, the letter suggests Apple has not been transparent on what Pallone and Schakowsky deem a serious privacy issue. Apple has not been open about its investigation into the FaceTime vulnerability, nor has the company detailed steps being taken to protect consumers, the letter reads.

Last week, reports of a massive FaceTime flaw surfaced on Twitter. Impacting current versions of iOS up to the latest iOS 12.1, the bug enables a FaceTime caller to eavesdrop on another user before they pick up the call. In some cases, brief access to a receiving party's camera is also granted.

Apple disabled Group FaceTime in a server-side shutdown mere hours after the flaw was made public. A fix was promised to arrive last week, but was later delayed for inclusion in a software update this week.

While mainstream media outlets caught wind of the vulnerability last week, Apple was reportedly notified of the issue more than two weeks ago.

Grant Thompson, a 14-year-old from Tucson, Ariz., independently discovered the flaw during a "Fortnite" gaming session in late January. Thompson's mother Michele attempted to inform Apple about the bug over the ensuing week, going so far as to file bug reports with the company. Whether Thompson's reports were lodged through official channels is unknown.

Pallone and Schakowsky in their letter ask Apple to detail the timeline of events leading up to the discovery of the FaceTime flaw, what actions were taken to address the issue, what procedures were in place to safeguard against such vulnerabilities and how they failed, what safeguards are now in place as a result of the discovery and why it took Apple so long to respond to Thompson's bug report. The letter also requests information regarding steps taken to determine whether customer privacy was violated and, if so, whether the company intends to compensate users.

Apple is currently facing a lawsuit from Texas lawyer who claims an interloper leveraged the Group FaceTime bug to eavesdrop on a deposition, while a Montreal law firm filed a class action suit against Apple last week.

The letter from House Democrats arrives days after the announcement of a New York state probe into the matter.

Apple is asked to respond to Pallone and Schakowsky's questions in writing by Feb. 19.
«1

Comments

  • Reply 1 of 28
    MplsPMplsP Posts: 3,911member
    Honestly, I get that it’s a serious bug, but that’s all it is. How is it different from any of the other security flaws in PC’s/Macs/Androids/iphones/etc that are discovered on a regular basis? Except for the fact that Apple closed the hole by shutting down the server almost as soon as it was discovered. 
    rob53delreyjonesStrangeDaysbaconstangGeorgeBMacneilmlarryjwjason leavittrandominternetpersonjony0
  • Reply 2 of 28
    AppleZuluAppleZulu Posts: 1,989member
    It took a week after the kid's mom notified Apple about the thing for Apple to respond to the issue publicly.

    It took a week after Apple responded publicly to the thing for Congress to respond by writing Apple a letter asking why it took them a week to respond.

    I'm just saying.
    delreyjonesStrangeDaysdedgeckoneilmjason leavittrandominternetpersonmacguicharlesgresurahara
  • Reply 3 of 28
    Just a pile of stupid politicians posturing again for something they are totally clueless about.   If the people who literally "tripped" over this bug, would have just been patient, everyone these days thinks that things happen instantly and they don't, Apple would have fixed it and it would not have been a big thing, and it really wasn't you had to intentionally add yourself to a multiple person FaceTime conversation, of which you were already in to do this, who does that?? ever....
    baconstangjason leavittwaltg
  • Reply 4 of 28
    metrixmetrix Posts: 256member
    Uhhhh, many people died from faulty GM ignitions and it took them like a decade to fix it and let's not even talk about the deaths and injuries associated with faulty air bags that are still in millions of cars in the US. A corporation this large cannot! move like some 1000 employee company where everyone drops everything. There are systems in place to ensure that something even worse doesn't occur in haste. Think of it like a false alarm in Hawaii where someone is pressing the launch button because we want to act quickly. Noooooooooooooo!
    jason leavittjony0
  • Reply 5 of 28
    AppleZulu said:
    It took a week after the kid's mom notified Apple about the thing for Apple to respond to the issue publicly.

    It took a week after Apple responded publicly to the thing for Congress to respond by writing Apple a letter asking why it took them a week to respond.

    I'm just saying.
    I would expect Apple to confirm the bug and find the cause  before acting on it, which may take a little time.
    chasmtmaymwhiterandominternetpersonjeffharris
  • Reply 6 of 28
    As if Apple needs to drop everything as soon as someone files a bug report. I think 2 weeks is PDG in addressing the bug. Nothing to see here, move along. 
    baconstanglkrupp
  • Reply 7 of 28
    This wasn’t vulnerability dicovered by a well known security agency through an organized Pwn2Own type of initiative. It was reported as a bug by a teenager and his mum, likely through some high-volume general feedback mechanism. It could take several days for a staffer to even look at it, and it likely wasn’t thoroughly documented so as to easily be reproducible. 

    That being said, I’d be interested to know the gap in time between their realization of the scale of the bug and the first communication. 
    jason leavitt
  • Reply 8 of 28
    mknelsonmknelson Posts: 1,118member
    MplsP said:
    Honestly, I get that it’s a serious bug, but that’s all it is. How is it different from any of the other security flaws in PC’s/Macs/Androids/iphones/etc that are discovered on a regular basis? Except for the fact that Apple closed the hole by shutting down the server almost as soon as it was discovered. 
    Group FaceTime shut down the same day the bug was Publicized. It was discovered at least a week earlier.

    That's pretty quick by most bug report standards, but slow for the severity and how easy it was to demonstrate.
  • Reply 9 of 28
    Are these imbeciles for real?  The existence of Google and Facebook alone should negate all this false concern.  Good Lord.
    chasmStrangeDaysbaconstanglkrupplostkiwijason leavitturaharawaltg
  • Reply 10 of 28
    chasmchasm Posts: 3,273member
    I doubt the Congresspeople have any real understanding of the process of tracking down and fixing a bug without interrupting the rest of a program's normal functionality, but they are about to get schooled in that and any education from Apple on how things work to the luddites in Congress is not a bad thing (though the showboating isn't necessary).

    Now that lawyer in Texas, OTOH is peeing into the wind with his case. An "interloper" can't have eavesdropped on an established FT call without the lawyer **accepting the interloper**, and the lawyer would also have a record of who it was, since that would appear in the FT log. So, no, Texas liar, your scenario didn't happen. Once the case is dropped, he or she should be reported to the Texas Bar for unethical behaviour.
    jason leavitt
  • Reply 11 of 28
    Great. Now can they do something to those with real data breaches, like Equifax?
    zeus423agilealtitudemwhiteGeorgeBMacbadmonk
  • Reply 12 of 28
    More technologically inept individuals trying to posture on a complex technological concept. Software development and QA is not for everyone. Let the pros do their job and move along. Jesus man..
  • Reply 13 of 28
    Politicians take note...

    “Better to Remain Silent and Be Thought a Fool than to Speak and Remove All Doubt.”
    zeus423dedgecko
  • Reply 14 of 28
    The house members should find something more important to do. Really asking Apple about a damn bug. I will refrain from making a political comment but government is now a effing waste. 
    zeus423dedgecko
  • Reply 15 of 28
    lkrupplkrupp Posts: 10,557member
    gilly33 said:
    The house members should find something more important to do. Really asking Apple about a damn bug. I will refrain from making a political comment but government is now a effing waste. 
    Maybe Apple shouldn’t have crowed so loud about being the knight in shining armor protecting the last bastion of security and privacy. While Apple may genuinely care more about the subject they put a bullseye on their back for the cynics to pound away at. Shit happens and it sure did this time. Now the critics are having a field day. As Teddy Roosevelt said, “Speak softly and carry a big stick.” 
    dedgeckomuthuk_vanalingam
  • Reply 16 of 28
    jungmarkjungmark Posts: 6,926member
    HeliBum said:
    AppleZulu said:
    It took a week after the kid's mom notified Apple about the thing for Apple to respond to the issue publicly.

    It took a week after Apple responded publicly to the thing for Congress to respond by writing Apple a letter asking why it took them a week to respond.

    I'm just saying.
    I would expect Apple to confirm the bug and find the cause  before acting on it, which may take a little time.
    Not only that but if it was a mention in a tweet or an email, how many of those does Apple get daily? How many employees are monitoring social media for bug reports? The right people have to be notified. Apple employees aren't a collective mind. 
    jason leavitt
  • Reply 17 of 28
    MplsPMplsP Posts: 3,911member
    Great. Now can they do something to those with real data breaches, like Equifax?
    Well, they did have a bunch or hearings where people got to grandstand and afterwards .... did nothing. :neutral: 
    zeus423mwhitejason leavittStrangeDays
  • Reply 18 of 28
    charlitunacharlituna Posts: 7,217member
    AppleZulu said:
    It took a week after the kid's mom notified Apple about the thing for Apple to respond to the issue publicly.

    It took a week after Apple responded publicly to the thing for Congress to respond by writing Apple a letter asking why it took them a week to respond.

    I'm just saying.
    difference is that Apple was notified but the woman hadn't notified the right group. sounds like she sent a message to the general feedback off the site or something about as vague and it took several days for the information to get to the right group to figure out what exactly the flaw was. meanwhile said woman, apparently made that Tim Cook didn't personally call to offer her a fat reward, announced the flaw on social media. and THAT is when folks knew it existed. and Apple shut down the server within like 24 hours. 
    Congress knew about the issue for a week, publicly knew, and did nothing. 
    lostkiwijason leavitt
  • Reply 19 of 28
    MplsP said:
    Great. Now can they do something to those with real data breaches, like Equifax?
    Well, they did have a bunch or hearings where people got to grandstand and afterwards .... did nothing. :neutral: 
    Good Lord, These two joker should concentrate on making good laws not butting thier head where they dont belong....get a grip you two nip wet 
  • Reply 20 of 28
    GeorgeBMacGeorgeBMac Posts: 11,421member
    Great. Now can they do something to those with real data breaches, like Equifax?
    The private, financial data of 43% of the country was hacked from Equifax.  The timeline was:
    March 8:   DHS notifies Equifax of vulnerability
    May 13:   First hack of Equifax information
    July 29:  Ongoing Hack identified by Equifax
    July30:  Application taken offline
    Aug 2:  FBI notified
    Sept 4:   List of affected customers prepared (143million)
    Sept 7:  Affected customers notified

    6 Months!
    Congressional reaction?   Mostly a shrug
    MplsPlarryjwjason leavittStrangeDaysrandominternetpersonbadmonk
Sign In or Register to comment.