Energy and Commerce Chairman Frank Pallone, Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky (D-IL) have sent a letter to Apple CEO Tim Cook requesting more information about when the company first learned of the security flaw in its Group FaceTime feature, the extent to which the flaw has compromised consumers’ privacy and whether there are other undisclosed bugs that currently exist and have not been addressed.
The issue involves a FaceTime Group Calling exploit that lets iPhones users listen to conversations of others who haven’t yet accepted a video call. Here’s how it works: the caller starts a FaceTime video call with a contact. While the call is "ringing," the caller adds themselves manually to the call by tapping Add Person then entering the phone number that the call is being made from. A Group FaceTime call is started with the caller, with the original recipient's audio streaming before the call is accepted.
Pallone and Schakowsky say they’re particularly concerned with the privacy implications of the Group FaceTime bug. The Committee Chairs requested written responses to a series of questions by no later than February 19, 2019, including:
When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call? Did your company identify the vulnerability before being notified by Mr. Thompson’s mother? Did any other customer notify Apple of the vulnerability?
Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
What steps are being taken to identify which FaceTime users’ privacy interests were violated using the vulnerability? Does Apple intend to notify and compensate those consumers for the violation? When will Apple provide notification to affected consumers?
Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?