“iPhone owners should be wary of a feature that is available through the built-in Safari browser of Apple’s new device because it could allow attackers to hack in to the phone and gain control of calls, according to a security alert,” Stan Beer reports for iTWire.
“The alert from security firm SPI Labs advises users to avoid a feature of iPhones that allows a user to dial any phone number displayed on a web page simply by tapping the number. According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off,” Beer reports.
Full article here.
Robert McMillan reports for IDG News Service, “The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused.”
“Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive “900” numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said,” McMillan reports.
“SPI is not releasing detailed information on how the Web dialing feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said,” McMillan reports.
Full article here.
I think this is cool. Did you catch that hackers can make the iPhone useful *after* its turned off? Wow! Mine is only useful when its on.
It’s like the MAACO commercial: “You won’t even know its been repaired.”
Magic word: “really” as in: Maybe that’s not really what they meant.
Their is a problem that needs to be fixed. It will get fixed. No reason to get defensive about it. Just because you spend $600 dollars and a two year contract does not insure that a 1.0 v product will be infallible in every way. To avoid this, simply do not use this feature, big deal, it’s still a pretty good offering with out this feature, so stop the apologetic or over reaching “their is not a problem” comments. Actually their seems to be a lot more that Apple could have done to insure even more secure information transit on the iPhone that will probably get revised sooner or later. So get your head out of the sand and check this Macworld article that will open your eyes.
http://www.macworld.com/2007/07/features/iphone_security/index.php
Their = belongs to them
Thanks, I keep on getting THEM confused. You know with the English as a second language thing and all.
Essentially, this is advice web users keep hearing all the time – beware of clicking on suspect links on web pages, or going to suspect web sites.
And since the iPhone accesses the full browser, every caution that applies to ordinary web surfing from your computer also applies to web surfing over the iPhone.
In short, this is just stating the obvious.
@Abdullah
With one exception, computers do not inherently dial phone numbers from web pages. Yes, you could have phone functionality software on your computer, but not out of the box, like the iPhone, so this warning is not that obvious, since this is not a typical exploit on a computer.
Woody: Thanks for the info. I will continue to delete such messages, whether they contain malware or PDF spam.
@Mac-nugget
You have a point there in that the iPhone’s in-built phoning capabilities add an extra dimension to the risk of careless behavior on the web. But if I am reading the warning correctly, you would still need to make the first call yourself in order to allow the loophole to open. So I suppose iPhone users should pay even more attention to conventional web-user wisdom when surfing on the iPhone.
STOP PRESS!
Security firms announce that DO NOT use ANY part of the Windows OS for any computing tasks.
Basic rules of ANY web or email use:
1. NEVER click on links unless you are sure that they are ok.
2. NEVER open email attachments from businesses or individuals who are not in your address book.
I live by these 2 rules and surprise surprise I have no problems at all.
Like a previous poster stated ” its common sense”.
Ptthhbbbtt… a big glowing raspberry to these guys and every other so-called security firm out there.
You know how ‘dangerous’ the internet is these days, right? Well, I’ve been running a Windows XP/SP2 machine now for over a year with NO VIRUS PROTECTION at all and haven’t seen the first one. We install a copy of Norton once every three months and scan it to check, then remove it when we’re done. So far – nothing. If you believe all the FUD out there these guys put out, this machine should have been toast the first day we fired it up.
Sure, this stuff is possible – but will you yourself encounter it? Not likely, unless you’re dialing number off a porn or other such shady site. Gimme a break, I’m so tired of reading this kind of crap. Enjoy your iPhones, folks – dial on!
Without exploit details, speculation is futile. However I did notice that the iPhone pops open a confirmation dialog when clicking on phone number links that displays the number to be dialed and gives you a chance to cancel the dial. I would think any “useful” exploit would have to bypass this confirmation or fake the number to be dialed in there somehow.
@Ryan
“Without exploit details, speculation is futile. However I did notice that the iPhone pops open a confirmation dialog when clicking on phone number links that displays the number to be dialed and gives you a chance to cancel the dial. I would think any “useful” exploit would have to bypass this confirmation or fake the number to be dialed in there somehow.”
This is exactly what it dose. The number you see confirmed is not the one dialed. That is precisely the problem. Here you think you are dialing Dominos Pizza and reality it’s dialing Dominatrics Pissas.