Security firm warns: Do not use Apple iPhone’s Web dialer

“iPhone owners should be wary of a feature that is available through the built-in Safari browser of Apple’s new device because it could allow attackers to hack in to the phone and gain control of calls, according to a security alert,” Stan Beer reports for iTWire.

“The alert from security firm SPI Labs advises users to avoid a feature of iPhones that allows a user to dial any phone number displayed on a web page simply by tapping the number. According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off,” Beer reports.

Full article here.

Robert McMillan reports for IDG News Service, “The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused.”

“Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive “900” numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said,” McMillan reports.

“SPI is not releasing detailed information on how the Web dialing feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said,” McMillan reports.

Full article here.

38 Comments

  1. I was talking with the Surgeon General just yesterday and he mentioned the rise in folks strapping jumper cables to their scrotum since car manufacturers have been advertising it as a new feature but he was reluctant to issue a warning because he didn’t think it was necessary to warn against such an obvious threat — it would be like telling people to wear sun screen in the summer sun.

  2. “…if you are viewing a web page with a phone number, it is probably a company’s contact us page or a directory service. Both of these types of websites have very valid and important reasons NOT to mess up your iPhone!”

    Or it could be a malicious third party spoofing a company’s contact us page or a directory service.

  3. “Had it been a Windows worm, MDN would have reported it yesterday when the news broke. Been almost 24 hours since the story hit, yet it’s nowhere on MDN. So much for the word “daily” in Mac DAILY News.”

    so far the story is, “someone claims to have a worm but offers exactly no proof. even if true, it is a proof of concept only that seems to only affect local subnets. in other news, if a hacker can sit down at your desk and use your computer uninterrupted, they pretty much own it….”

    now i agree that they could mention it. that would be a good thing. but it is a pretty brief and pointless story so far.

  4. Obviously something Apple must be working on feverishly and it shouldn’t be downplayed even if we all would like the iPhone to be the idealist’s perfect device of our dreams.

    I suspect however that this has more to do with how phone systems work and would either require a kind of filter or some involvement from the provider (AT&T).

    There are a bazillion “special numbers” that can be dialed on cell phones that are used to perform configuration or other non-call functions (e.g. transfering calls). Hiding such special coded functions behind a seemingly inocuous number displayed on the web page would be easy. Perhaps this “vulnerability/bug” is no more than a means of triggering special functions using these phone number codes.

    That’s what you get when a modern device is used to access a legacy system (the phone network) initially designed to provide a simple service (making calls) and later coersed into performing other functions using cludgy workarounds.

    A blatant example of this, in more recent history, is Web based applications that use a document formatting protocol (HTML) to provide interactive user input. We all know how difficult it is to make this patchwork of workarounds secure. Imagine how difficult it’s gonna be to make an even older sytsem (phone network) secure while maintaining it’s compatibility with numeric only devices.

  5. The new Mac OS X worm supposedly exploits specific vulnerabilities that include the potential for arbitrary code execution from opening a maliciously crafted PDF document.

    I just this morning received an email from a source not known to me. It contained an email attachment named email.pdf; naturally I did not open it, but rather deleted the message. If I had opened it–even though I did not know the person or organization who sent the message–any harm done would have been my own stupid fault.

    Maybe I should have forwarded the email to Apple for their research. ” width=”19″ height=”19″ alt=”grin” style=”border:0;” />

  6. You must have stopped at the headline of the ‘iPhone worm’ article. The so called “iPhone worm” is actually virus that infects Windows computers. It activates when the user tries to purchase an iPhone by redirecting them to a spoof web page to capture their bank account information.
    The “worm” does not spread via the iPhone, rather through your infected Windoze Craputer.

    Nonetheless, MDN should ‘report’ it so we can all be informed about this new threat from Microsoft.

  7. Not to sound alarmist, but there does seem to be more to the SPI phone vulnerability. To me it seems the scariest part is that whatever this exploit is, it gets around the confirmation dialog when you click on a phone number to dial on a web page, or visit a web page with malicious javascript that “clicks” the phone link for you. It sounds like it can do other things too.

    @Altos, I don’t see why AT&T would have to be involved. From my reading of SPI’s report, it sounds like a fix in Safari could alleviate the issue. And from reading the comments on the SPI blog, I wonder if other smartphones with this feature are also vulnerable.

    @ Beryllium – There was an article recently in MacLife or Macworld about the trend for spammers to move from image spam to PDF spam to pump their crap stocks. That’s prolly all it was.

  8. This may be FUD to some degree, but it is also important to help users of the iPhone to understand how this new device can be exploited against them.

    Just like going to an WiFi hotspot, connecting to an unsecured web site and revealing personal information is not a good idea, the seamless switch of the iPhone from EDGE to WiFi could allow prviate information to be captured. MacCentral has a good article on that today.

    Apple may have to tightened it’s security measures for the iPhone and we will also have to learn to be careful how we use personal information on the iPhone, just like we should be doing with laptops on public WiFi sites.

  9. I think this is cool. Did you catch that hackers can make the iPhone useful *after* its turned off? Wow! Mine is only useful when its on.

    It’s like the MAACO commercial: “You won’t even know its been repaired.”

    Magic word: “really” as in: Maybe that’s not really what they meant.

  10. Their is a problem that needs to be fixed. It will get fixed. No reason to get defensive about it. Just because you spend $600 dollars and a two year contract does not insure that a 1.0 v product will be infallible in every way. To avoid this, simply do not use this feature, big deal, it’s still a pretty good offering with out this feature, so stop the apologetic or over reaching “their is not a problem” comments. Actually their seems to be a lot more that Apple could have done to insure even more secure information transit on the iPhone that will probably get revised sooner or later. So get your head out of the sand and check this Macworld article that will open your eyes.

    http://www.macworld.com/2007/07/features/iphone_security/index.php

  11. Essentially, this is advice web users keep hearing all the time – beware of clicking on suspect links on web pages, or going to suspect web sites.

    And since the iPhone accesses the full browser, every caution that applies to ordinary web surfing from your computer also applies to web surfing over the iPhone.

    In short, this is just stating the obvious.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.