The U.S. House of Representatives Energy and Commerce Committee has questions for Apple about its recent FaceTime bug — and why it took as long as it did to respond to the problem.
This follows similar concerns being voiced by New York Attorney General Letitia James, who said last week that her office is launching an investigation into Apple’s failure to warn customers about the FaceTime vulnerability.
In the House of Representatives’ letter to Apple (which you can read in full here), the authors list six questions that they hope Apple will answer about the incident.
The Group FaceTime bug in question allowed users to eavesdrop on others before they had picked up a call. The questions for Apple, which the House of Representatives would like answered by February 19, are as follows:
1. When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call? 2. Did your company identify the vulnerability before being notified by Mr. Thompson’s mother? Did any other customer notify Apple of the vulnerability? Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
3. What procedures and testing were in place, and what procedures are now in place, to identify such vulnerabilities prior to the release of a consumer product? Why did those procedures fail in this case? What steps are being taken to improve pre-launch testing in the future.
4. Why did it take so long for Apple to address the Group FaceTime feature vulnerability once it was discovered and reported to Apple by Mr. Thompson’s mother?
5. What steps are being taken to identify which FaceTime users’ privacy interests were violated using the vulnerability? Does Apple intend to notify and compensate those consumers for the violation? When will Apple provide notification to affected consumers?
6. Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?
Apple’s response to the FaceTime bug
Apple has already apologized for the FaceTime bug, and said that a bug fix is on the way. It has additionally taken the Group FaceTime servers offline temporarily so that the bug cannot be abused.
In an interview with CNBC, 14-year-old Grant Thompson (who discovered the bug) and his mom said that an Apple exec flew out to meet with them both. This came after Thompson’s mom spent 10 days unsuccessfully trying to contact Apple about the vulnerability, before news of the flaw was shared online.
Apple has promised to tighten up the way that members of the public can reports similar incidents. It also confirmed to Thompson’s family that he will be eligible for Apple’s bug bounty program, which offers rewards of up to $200,000 for security researchers who find vulnerabilities on Apple’s software platforms.
