Security firm warns: Do not use Apple iPhone’s Web dialer

“iPhone owners should be wary of a feature that is available through the built-in Safari browser of Apple’s new device because it could allow attackers to hack in to the phone and gain control of calls, according to a security alert,” Stan Beer reports for iTWire.

“The alert from security firm SPI Labs advises users to avoid a feature of iPhones that allows a user to dial any phone number displayed on a web page simply by tapping the number. According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off,” Beer reports.

Full article here.

Robert McMillan reports for IDG News Service, “The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused.”

“Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive “900” numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said,” McMillan reports.

“SPI is not releasing detailed information on how the Web dialing feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said,” McMillan reports.

Full article here.

38 Comments

  1. Sounds like a bunch of hooey to me. They say “Attackers could exploit a bug …”. Is this a VIRTUAL bug, or one they actually found? I think this is conjecture, not reality. This company just wants to make a name for themselves.

  2. Damn! There goes another of my money making schemes!!

    I was going to install an endless loop caller to my Camel’s Milk hotline, so that I could continue making money if my Camel’s Milk sales hit rock bottom….

    I wonder who’s bottom has turned into solid rock this week?

  3. I suppose it is possible – with a little javascript trickery as well as malicious HTML.

    But then again, lets be more realistic here…if you are viewing a web page with a phone number, it is probably a company’s contact us page or a directory service. Both of these types of websites have very valid and important reasons NOT to mess up your iPhone!

  4. So this is really how the first year of the iPhone goes, right?

    It’s a major security risk; It’s bringing down an entire university’s wireless network; It’s a threat to national security; The Russians are coming; The Chinese are here; In short, we’re all gonna die. Stop using the iPhone, get Apple to stop making cleverly designed and incredibly useful personal computing devices, stop the madness! KILL APPLE!

    You know, even with its billions MS is going to go broke one of these days having to pay out so much undercover money to techno-mercenaries to create the huge piles of FUD they concoct with the release of every new device – yikes.

  5. Read this yesterday at MacCentral, and posted this reply:

    “the feature could be misused”
    “Attackers could exploit”
    “iPhone could even be stopped”
    “Phone has the potential”
    “bad guys would have to either trick iPhone users”
    “not releasing detailed information on how the Web dialing feature could be exploited”
    “Safari could be used to misdial numbers”
    “this could be done more easily than previously thought”
    ““Yes,” said Aitel. “If they know a lot of hackers and are a special target.””

    And the earth COULD BE hit by a meteor today, but I don’t think I’ll worry about that either, not until they say WILL BE. Does anyone else think that this guy is into some serious speculation, or does he really have something that warrants consideration? (I vote speculation, since I count 6 “could be”s in the article.)

  6. Sounds like a bunch of hooey to me. They say “Attackers could exploit a bug …”. Is this a VIRTUAL bug, or one they actually found? I think this is conjecture, not reality. This company just wants to make a name for themselves.

    I agree, the default position should always be to ignore expert advice and instead trust your own uninformed opinion.

  7. “According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off.”

    THIS JUST IN, strapping jumper cables to your scrotum and starting the car could be exploited by angry unsatisfied girlfriends and/or wives to gain attention to fact that security analysts/hackers put more time into technology than actually having a life.

    Your friend from across the pond,

    CheekyGit

  8. So… do you think MDN is just IGNORING the new Mac OS X worm proof-of-concept, or are they just trying to delay reporting it as long as possible?

    Had it been a Windows worm, MDN would have reported it yesterday when the news broke. Been almost 24 hours since the story hit, yet it’s nowhere on MDN. So much for the word “daily” in Mac DAILY News.

  9. Worse than 900 numbers are the numbers that look like local numbers, but are billed like 900 numbers.

    For readers outside the USA, 900 is the area code for caller paid services. Calls to those numbers are billed at a much higher rate than merely the telephone call rate, sometimes a several US$ per minute, or even much higher. Typically they provide “entertainment” services, though some tech companies offer a 900 option for paid tech support calls. Hope this helps someone.

  10. Capt. Obvious,

    Do you really think a possible vulnerability in the iPhone’s browser that could possibly take advantage of the user is the same as simply driving a car? Maybe if every once in a while, you tune to a radio station that takes over your steering wheel and sends you over a cliff, that would be an apt comparison.

    I’m not giving much credence to this finding, but I’m certainly not going to give some knee-jerk denial without knowing anything about the possible bug.

    By not taking an objective look at this, you’re no better than those spreading FUD. It’s just called rabid fanboyism.

  11. I think in order to maintain the cachet of the iPhone, we should bash anyone who might attempt to make the product more secure by noting any vulnerabilities and working with Apple to correct the problem. That will ensure iPhone’s prestige.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.