New York authorities have announced the launch of an investigation into the recently disclosed FaceTime vulnerability that can be exploited to spy on users. The probe focuses on Apple’s failure to warn customers and the company’s slow response.
Videos and posts describing the flaw started making rounds earlier this week on social media websites. The mother of a 14-year-old from Arizona claimed her son had identified the bug and that they had attempted to inform Apple more than 10 days before details of the hack became public. She claimed the tech giant ignored their responsible disclosure attempts, which included calls, messages on social media, emails and even faxes.
The vulnerability is easy to exploit and it does not require any technical knowledge. The attacker simply calls the targeted user via FaceTime and then immediately initiates a group chat by using the “Add person” button from the bottom of the screen. If the attacker adds their own number to the group chat they start hearing what the victim says even if they haven’t actually answered the call.
The victim continues to see the incoming call (i.e. the screen where they can accept or decline the call) and there is no indication that the person on the other end can hear them. Furthermore, if the victim presses the power button on their device, they give the attacker access to their camera as well.
The vulnerability appears to affect FaceTime on both iOS and macOS. Apple has promised to release a fix sometime this week and in the meantime it has suspended the Group FaceTime feature to prevent abuse.
The bug poses serious privacy concerns and New York Governor Andrew M. Cuomo and Attorney General Letitia James have decided to launch an investigation into Apple’s failure to warn customers and its slow response. The Department of State’s Division of Consumer Protection is accepting complaints from consumers as part of this investigation.
“In the wake of this egregious bug that put the privacy of New Yorkers at risk, I support this investigation by the Attorney General into this serious consumer rights issue and direct the Division of Consumer Protection to help in any way possible,” Governor Cuomo said. “We need a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”
Attorney General James commented, “This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years. My office will be conducting a thorough investigation into Apple’s response to the situation, and will evaluate the company’s actions in relation to the laws set forth by the State of New York. We must use every tool at our disposal to ensure that consumers are always protected.”
In another part of the United States, in Texas, a lawyer has filed a lawsuit against Apple claiming that the FaceTime vulnerability was exploited to record a client’s private deposition.
“Plaintiff was undergoing a private deposition with a client when this defective product breach allowed for the recording of a private deposition,” the complaint reads. “The Product was used for its intended purposes because Plaintiff updated their phone for the purpose of group Facetime calls but not unsolicited eavesdropping. Plaintiff suffered injuries.”
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.