U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw

[dcassone]

The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations.

Energy and Commerce Chairman Frank Pallone Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-IL) today sent a letter [PDF] to Apple CEO Tim Cook questioning the company about how long it took Apple to address the Group FaceTime flaw, the extent to which the flaw compromised consumer privacy, and whether there are other undisclosed bugs in existence.

The two representatives ask Apple to be transparent about the investigation into the Group FaceTime vulnerability, and the steps that are being taken to protect consumer privacy going forward. Apple has not been as transparent as "this serious issue requires," according to the letter.

Pallone and Schakowsky ask Apple a number of key questions, including the following:

[*]When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call? Did your company identify the vulnerability before being notified by Mr. Thompson's mother?
[*]Did any other customer notify Apple of the vulnerability?
[*]Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
[*]What steps are being taken to identify which FaceTime users' privacy interests were violated using the vulnerability? Does Apple intend to notify and compensate those consumers for the violation?
[*]When will Apple provide notification to affected consumers?
[*]Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?
Apple CEO Tim Cook will be expected to provide answers to the questions provided in the letter.

The FaceTime vulnerability came to light last Monday after details spread across social media and news sites quickly picked it up. The bug allowed a person to force a FaceTime call with another person, giving them access to the audio (and sometimes video) from an iPhone, iPad, or Mac without the person ever accepting the FaceTime call.

Apple disabled Group FaceTime on its servers to prevent the bug from being used, and the company is still working on an iOS 12.1.4 update that we are expecting to see this week.

Subscribe to the MacRumors YouTube channel for more videos.​

While Apple addressed the bug after it went viral on social media, the company was informed of the issue at least a week before when a teenager discovered it and his mother attempted to contact Apple. Though she sent in multiple reports, they did not go to the right people, and Apple has since apologized and said it is committed to improving the bug reporting process.

Apple is already facing a lawsuit over the Group FaceTime issue and New York officials are also investigating.

Article Link: U.S. Committee Sends Letter to Tim Cook Asking for Answers About Group FaceTime Eavesdropping Flaw

[doublepost=1549408709][/doublepost]This is rich...the people who want to put a backdoor in to iOS are lecturing Apple on privacy.

Apple's record on privacy is clear....very pro-individual privacy anti-government intrusion.
Congress' record is exactly the opposite.

 

[trusso]

Yet another case of Congress performing "lip-service" under the pretense of serving the peoples' interests. The unfortunate fact is that wealthy business interests run the majority of Congress, and they could hardly give a rat's behind what the people think, as long as they think what they're supposed to think come election day.

Where were you when Wall Street ripped off the American tax-payer? Or when the military-industrial complex yanked control of this country from the average citizen? Whatever culpability Apple might have regarding the Group FaceTime fiasco, you can bet your ass Congress doesn't give two s**** about the average person; they just want to appear like they do.

 

[m4mario]

When some one asks you "What's up?", the right answer is "What's up?"

 

[mozumder]

What track record?

• Their newest hardware product (HomePod) let anyone bypass security to access private messages on a connected iPhone.
• Their latest software product (Group FaceTime) let anyone bypass security to access audio/video on an iPhone.
• Their App Store has recently been exposed to be filled with numerous apps breaking the terms of service to sell users' data.

It doesn't look like you're making a comparative argument vs other vendors?

 

[jimbobb24]

I think the govt should send a letter to every vendor every time there is a bug discovered. That should get things fixed right up.

 

[Brandhouse]

People at Apple should be jailed for their handling of a bug of this magnitude.

So what do the people at Facebook get for their invasion of privacy and not having the ability to turn it all off as a user, and farming all of your personal details and every other contact on your devices?

 

[Bryan Bowler]

Do these Representatives not realize that Apple has emojis to create instead of working on bugs?

On a serious note, of course Apple takes privacy very seriously and I bet Apple now has protocols to escalate these kind of bug reports even faster. Apple does 1000x more than most companies in protecting their consumers.

 

[MattMJB0188]

Why is this even relevant? Who cares?

 

[I7guy]

What track record?

• Their newest hardware product (HomePod) let anyone bypass security to access private messages on a connected iPhone.
• Their latest software product (Group FaceTime) let anyone bypass security to access audio/video on an iPhone.
• Their App Store has recently been exposed to be filled with numerous apps breaking the terms of service to sell users' data.

As if:
1. Apple maliciously inserted the bug,
2. Apple can track the innards of legitimate api calls in its apps. If google can’t do it with their vast martlet share how can Apple scrutinize every app at that level. What hyperbole.

 

[C DM]

They went beyond grace period. They still haven’t fixed it.

The issue doesn't currently exist.

 

[thadoggfather]

Oh you mean their products aren’t perfect and bugs will always exist? You need to get out more.

A personal insult that has nothing to do with what I’ve stated... Thanks?

Is that your final answer for Apple’s defense? “Get out more”? Interesting

 

[Smith288]

People at Apple should be jailed for their handling of a bug of this magnitude.

Sound like you’re a politician in the making.

 

[Kabeyun]

Must be a slow news day in the Senate.

 

[mikethemartian]

Yet another case of Congress performing "lip-service" under the pretense of serving the peoples' interests. The unfortunate fact is that wealthy business interests run the majority of Congress, and they could hardly give a rat's behind what the people think, as long as they think what they're supposed to think come election day.

Where were you when Wall Street ripped off the American tax-payer? Or when the military-industrial complex yanked control of this country from the average citizen? Whatever culpability Apple might have regarding the Group FaceTime fiasco, you can bet your ass Congress doesn't give two s**** about the average person; they just want to appear like they do.

I’m for free markets so I would have let them go bankrupt instead of bailing them out and then complaining that investment bankers were greedy once they started making record profits again.

 

[Zakzilla]

The issues are being addressed. The letter seems a little strong.

It's not about the actual fix, it's about Apple's lack of transparency with the issue and how long it took before fixing it. Who knows how long Apple has been aware of this bug...

 

[ender78]

People at Apple should be jailed for their handling of a bug of this magnitude.

What law was broken here?

 

[stevet]

This is ridiculous, what is going on in this country? The questions they are asking are what a manager/ceo should be asking their employees. I'm not sure why the 'US Committee' feels they are owed answers for this is crazy. How about coming up with a law that protects our data privacy first, then you have the right to ask the questions. Fkn frauds.

 

[chinito77]

So um..anyone hear any good rumors about the new iMac?

 

[C DM]

It's not about the actual fix, it's about Apple's lack of transparency with the issue and how long it took before fixing it. Who knows how long Apple has been aware of this bug...

The thing is, many issues get investigated, analyzed, and worked on often before any word about them spreads without the vast majority of people really knowing much about it one way or another. Most things aren't just transparent publicly. There isn't necessarily something truly wrong or different in relation to how things were being handled initially as there certainly investigations that had to be done, analysis of the issue, weighing risks and all the different variables associated with them, etc.

None of this is to say that there isn't something somewhere that couldn't or shouldn't be improved or modified, but it is to say that what has happened isn't really something that's essentially automatically malicious and wrong.

 

[macsrcool1234]

Oh, so they shouldn't have turned off Group Facetime while fixing this bug? Or they shouldn't test their fix before releasing it to the public, potentially leaving the issue unresolved? Gee, how irresponsible of Apple.

They shouldn't have ignored it for a week.

Try again.
[doublepost=1549416113][/doublepost]

So what do the people at Facebook get for their invasion of privacy and not having the ability to turn it all off as a user, and farming all of your personal details and every other contact on your devices?

This has absolutely nothing to do with the topic at hand.

Try again.
[doublepost=1549416146][/doublepost]

Sound like you’re a politician in the making.

Translation: REEEE

 

[jarman92]

They took over a week to respond to the formal complaint. That is not an acceptable grace period for 'privacy being top priority' in my view:

https://www.nytimes.com/2019/01/29/technology/facetime-glitch-apple.html

I think Apple is throwing stones from a glass house, and this won't be the last hiccup of theirs related to privacy

Actually, if you bothered to read the article you linked, it took one business day for Apple to respond to the formal report. She sent an actual bug report on a Friday, Apple disabled Group FaceTime the following Monday. I'd say that's much quicker than one would expect, given it was reported by a random woman and required entirely disabling a core iOS feature.
[doublepost=1549416394][/doublepost]

They shouldn't have ignored it for a week.

Try again.
[doublepost=1549416113][/doublepost]

This has absolutely nothing to do with the topic at hand.

Try again.
[doublepost=1549416146][/doublepost]

Translation: REEEE

They didn't ignore it for a week.

Try again.

 

[applefan69]

Seems a bit over dramatized.

Ummm no?

I am absolutely thrilled someone is seeking to hold Apple accountable to this. Not only accountable to fixing it, but accountable to explaining their actions in an honest transparent way. Even if Apple did nothing wrong this sets a precedent for other companies, that they better have a damn good explanation if they are ever caught with a similiar bug.

Basically this is the best news ever. Now Apple is going to be forced to give us some answers, rather than quietly sweep it under the rug like they were hoping they could.

Why would you suggest a a proper explanation is not necessary? This is potentially an extremely critical turning point for privacy in the modern age. People like you really make me mad, why do you think this is not worth looking into. Do you really think we should just let the corporation get away with it? - If we do not demand answers we are only screwing ourselves, then the question is what comes next.

Seriously why would any sane person NOT want answers here? What happened was really ****ing serious.


[doublepost=1549417084][/doublepost]

Actually, if you bothered to read the article you linked, it took one business day for Apple to respond to the formal report. She sent an actual bug report on a Friday, Apple disabled Group FaceTime the following Monday. I'd say that's much quicker than one would expect, given it was reported by a random woman and required entirely disabling a core iOS feature.
[doublepost=1549416394][/doublepost]

They didn't ignore it for a week.

Try again.

So Macrumors is misreporting the story?

What a waste of time the letter is. Apple addressed it and the fix is being released soon.

UMM. I want to know what exactly happened here. Ours phones should NOT BE OPENLY SENDING VIDEO/AUDIO DATA WITHOUT OUR CONSENT.
[doublepost=1549417573][/doublepost]

Probably not a good idea to have a congressional hearing about every software bug..

Let Apple's track record about privacy speak for itself.

I love how there are these people thinking "come on it is just a little tiny software bug. I mean come on."

Actually as noted above I hate it. Apple clearly screwed something major up. Now the question is whether they are guilty of trying to hide it, I want to know the answer to this.

 

[macsrcool1234]

Actually, if you bothered to read the article you linked, it took one business day for Apple to respond to the formal report. She sent an actual bug report on a Friday, Apple disabled Group FaceTime the following Monday. I'd say that's much quicker than one would expect, given it was reported by a random woman and required entirely disabling a core iOS feature.
[doublepost=1549416394][/doublepost]

They didn't ignore it for a week.

Try again.

Wrong.

There is literally a tweet on Jan 20 and a youtube video demo'ing the bug.

Try again.

 

[applefan69]

This is ridiculous, what is going on in this country? The questions they are asking are what a manager/ceo should be asking their employees. I'm not sure why the 'US Committee' feels they are owed answers for this is crazy. How about coming up with a law that protects our data privacy first, then you have the right to ask the questions. Fkn frauds.

Because the job of our government is to defend the rights of the people. This is deemed as a breach of those rights. Once again, why are there all these idiots thinking this is some kind of minor "oopsy we slipped". No this is a smoking gun.

Any self respecting person should want to hold the corporation accountable. We should consider ourselves blessed we have a government that cares enough to do this for us. How is an investigation going to hurt you any? The regulators asking these questions get paid the same regardless if they ask the questions or not, so why is there any problem here?

 

[GeoStructural]

What track record?

• Their newest hardware product (HomePod) let anyone bypass security to access private messages on a connected iPhone.
• Their latest software product (Group FaceTime) let anyone bypass security to access audio/video on an iPhone.
• Their App Store has recently been exposed to be filled with numerous apps breaking the terms of service to sell users' data.

Don't forget that nasty bug that allowed anyone to view your phones with the locked screen.