Houston attorney Larry Williams is suing Apple over the recently disclosed FaceTime bug which allows callers to listen to the audio of the recipient before they answer the phone, claiming it allowed the recording of a private deposition.
Williams argued Apple was negligent when it allowed the microphone to be used in this way and that “plaintiff was undergoing a private deposition with a client when this defective product breach allowed for the recording of a private deposition,” according to court documents.
“The Product was used for its intended purposes because Plaintiff updated their phone for the purpose of group FaceTime calls but not unsolicited eavesdropping. Plaintiff suffered injuries.”
Williams also alleged a breach of warranty and strict products liability among other allegations.
The vulnerability is believed to affect devices running iOS 12.1 or later and temporarily has been patched by disabling of the Group FaceTime feature on the server side. A more permanent fix is expected later this week.
The vulnerability was discovered by a 14-year-old in Arizona who found he could use the feature to eavesdrop on his friends when setting up a chat for a round of Fortnite.
The teen attempted to warn Apple but did not hear back from the company as Apple’s security team before the glitch went viral, most likely due to the large number of inquiries it receives daily that must be verified.
All an attacker would have needed to do to replicate the vulnerability is to initiate a call with a iPhone contact while the phone is dialing and swipe up from the lower part of the screen after choosing “Add Person,” add his/her name. This would launch a group FaceTime call in which the recipients audio can be heard even if they don’t accept the call.
Anything that human beings design will at times have deficiencies, HackerOne CEO Marten Mickos told SC Media
“It is only natural that there are software and security bugs,” Mickos said. “ It is wrong only if the bug cannot be reported to the vendor or if the bug will go unfixed. As a society, we must agree and mandate that anyone providing a digital product or service to consumers must have a proper way of receiving bug reports and fixing the problems.”
George Gerchow, CSO of SumoLogic said its important for users to keep in mind the patch is not a permanent fix, but is a temporary workaround.
“The difference being users are losing functionality as there is no patch yet available,” Gerchow said. “Even though Apple has gone through great strides to protect their users’ information, this latest bug is yet another reinforcement that privacy continues to remain a major concern regardless of your company’s size or security and privacy investments.”
Gerchow added the bug is also a reminder that nobody’s data is 100 percent safe and that it’s all of our responsibility to be more diligent in protecting the privacy of our customers’ sensitive information against future vulnerabilities.