Legal View

Apple hit with lawsuit, probe over FaceTime bug

Read time 3min 10sec
It is "almost impossible" to guarantee software today will be 100% bug-free, says Kaspersky.
It is "almost impossible" to guarantee software today will be 100% bug-free, says Kaspersky.

New York governor Andrew Cuomo and attorney general Letitia James have announced the state is opening a probe into Apple's failure to warn its users about a FaceTime bug that allows users to eavesdrop on the people they call using the group chat function.

James tweeted yesterday: "We're launching an investigation into Apple's failure to warn consumers about the FaceTime privacy breach and their slow response to addressing the issue."

The probe is not Apple's only legal woe. According to Bloomberg, It is already facing its first lawsuit over the matter.

Houston-based lawyer Larry Williams II has filed a lawsuit against the company, claiming his iPhone enabled an unknown person to eavesdrop on sworn testimony during a client deposition.

Williams is suing for unspecified punitive damages, negligence, product liability, misrepresentation and warranty breach, claiming the flaw violates the privacy of an individual's "most intimate conversations without consent".

Slow to respond

The probe is based on the fact that Apple was repeatedly notified about the issue a full week before it became public knowledge.

On 19 January, Grant Thompson, a 14-year-old boy from Arizona in the US, stumbled upon the FaceTime bug when he found he could eavesdrop on his friend's phone before his friend had even picked up the call.

His mother, Michele Thompson, sent a video of the hack to Apple the following day, in an attempt to warn the company of this bug that could expose millions of iPhone users to eavesdropping.

They heard nothing back from Apple support, and pursued an answer from every possible avenue, including Twitter, Facebook, e-mailing and faxing Apple's security team.

Over a week later, Apple disabled its Group FaceTime feature after other users, including a separate developer, reported the FaceTime bug and videos of it in action were posted on social media, and went viral.

Apple developers have been racing to fix the flaw, which will come in the form of an iOS.12.1.4 update, this week, most likely today.

The flaw and the company's slow response to fixing it belie not only its privacy claims, but also its reassurances about the safety of its products. Apple regularly advertises its bug bounty programme, and a few hours before it issued a statement addressing the bug, CEO Tim Cook tweeted that "we all must insist on action and reform for vital privacy protections".

Victor Chebyshev, security researcher at Kaspersky Lab, comments: "From what has been reported in the media so far, it would appear to be difficult for an attacker to exploit this bug for the secret surveillance of targets, as the potential victim would receive an incoming call alert."

He says the only possible risk scenario would be where the target is using the 'silent' mode on the device. "In this case, it would be possible for a spy to covertly listen to the target's private conversations."

According to Chebyshev, in general, software today is made up of multiple lines of code, making it "almost impossible" to guarantee that it will be 100% bug-free. Software vendors rely on the security community to help them find and fix such bugs before they can be abused by attackers.

"We advise anyone who remains concerned to turn off the FaceTime feature until Apple's patch has been released."

See also