Beware the iPhone/Safari dialer

Beware the iPhone/Safari dialer

Summary: One of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

SHARE:
TOPICS: Mobility
54

Beware the iPhone/Safari dialerOne of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

[ SEE: The iPhone security non-story ]

Security researchers at SPI Labs says this feature can be exploited by hackers to pull off nefarious stunts like redirecting phone calls placed by the user to different phone numbers of the attacker's choosing; tracking phone calls placed by the user; tricking the phone into placing a call without the user accepting the confirmation dialog; or placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone.

GALLERY: How to run Apple's Safari browser securely

SPI Labs lead researcher Billy Hoffman, a Web application security specialist, warned that these types of attacks can be launched from a malicious website, from a legitimate website that has CSS (cross-site scripting) vulnerabilities, or as part of a payload of a web application worm.

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.

"SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues," Hoffman said.

Topic: Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • Ouch

    Thats really nasty.

    I reckon thats probably the very first mobile virus that has the potential to affect large numbers of users and have an individually very high impact on those users.

    It highlights the pit falls of tightly integrating the core features of a next gen phone with its extra functionality.
    nmh
    • What virus are you talking about?

      "I reckon thats probably the very first mobile virus that has the potential to affect large numbers of users and have an individually very high impact on those users."

      That would be true if there actually was such a virus. This is all a 'what if' discussion. There is no virus that exploits this, only the potential to.

      And as I mentioned in another post here, lots of smartphones have had this feature for years, and the world didn't end. This is just misplaced FUD, but zdnet knows that anything iphone related draws eyeballs, so they run the article like its something specific to the iPhone.
      pir8matt
    • You are assuming

      1) it won't get fixed in a day or two.
      2) AT&T would not forgive the charges

      Both of which are higly likely, though obviously not a given. But I think #1 is
      going to be pretty easy to fix, and I really think AT&T is an interested party, even
      if they aren't spending anything on the iPhone ads yet (still pushing blackberry???).
      But now I am assuming AT&T isn't paying apple for it's iPhone ads, which feature
      both logos.

      Truth is, Apple has a huge new revenue stream via the cell phone contracts, a part
      of which goes to Apple.

      So, you think these two companies are going to let this get out of hand, just sit
      back and watch, ala, er, I dunno, Microsoft?
      comp_indiana
  • have my doubts

    the numbers are recognised by the iPhone, not through html scripts or other... when
    the iPhone dials a number from a website, it shows the number it's going to dial...
    have my doubts on this report.
    Non-Zealand
    • Apple apparently doesn't

      From the SPI site referenced in Ryan's article:

      [i]SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems.[/i]

      I guess the only way we'll know for sure is if there is a new firmware release that covers it in the near(ish) future.
      nmh
    • But users don't pay attention

      Even if the phone shows the number, an inattentive user won't notice until it's too late. Look at how many phishing scams rely on a user not noticing that the URL displayed on the link is different from the one they are sent to.
      RichInNJ
    • Im skeptical of this one

      I have an iPhone and I've already used this feature. It prompts you and asks if you want to dial the number! Whats so hard to understand about that? Is it an international number that you didnt want to dial? Say 'dont dial'.

      Ooooo! Scary potential danger! Get real.
      pir8matt
      • ..not to mention

        My old Treo 650 has had the same capability for years, and zdnet never wrote an article about its inherent insecurity.
        pir8matt
      • Selective Reading

        Guess you dont read too well or you just selectively read!
        From the 2nd paragraph

        >Security researchers at SPI Labs says this feature can be exploited by hackers to pull off nefarious stunts like redirecting phone calls placed by the user to different phone numbers of the attacker?s choosing; tracking phone calls placed by the user; tricking the phone into placing a call without the user accepting the confirmation dialog; or placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone.<

        So much for saying "Don't Dial
        Stan57
    • Tell me about it.

      The phone is dialing the number not because the website is telling you it's a number in a link, but because the iPhone software is parsing the text displayed on the page and recognizing it for a phone number. I'd like to know how a piece of malware can redirect a phone call from a snippet of text displayed on a page.

      This is just more crabs in a bucket syndrome.

      What is that, you ask? Well, to keep crabs in a bucket, just put at least two of them in there. When any crab tries to climb out, the rest will pull him back in.
      frgough
  • Again we see the damage that can be caused...

    ...by placing Apple sauce onto a stable (-ish) Unix variant.

    Remember:

    Mach + BSD + Apple sauce != good, fast or stable...
    Scrat
  • Out of curiosity

    Is this an iPhone only thing, or are other "web phones" affected by this sort of thing?
    zkiwi
    • Treo 650

      My Treo 650 and my Blackjack both had the 'dial from webpage' feature. Its nothing new.
      pir8matt
      • Did you miss this part of the article?

        [i]tricking the phone into placing a call without the user accepting the confirmation dialog[/i]

        Would your Treo 650 and Blackjack place calls without you accepting the confirmation dialog?
        NonZealot
        • neither does the iPhone (NT)

          NT
          Non-Zealand
        • No, I sure didnt

          Theoretically, they could, which is exactly what this article is talking about (A theoretical possibility). There is no actual exploit, or did YOU miss that part of the article?
          pir8matt
      • When Yes is the Right Answer 999 / 1000 Times

        Even with confirmation, there's a fatigue factor in that always answering yes to the
        same question means there will be a time when yes will be answered by mistake. I'm
        not sure what the answer to that one is. Cross-scripting javascript and browser
        issues may be addressed by updates to the browser code.
        DannyO_0x98
      • jeez dude...

        prove it works the exact same code wise as the iPhone, and prove the treo can fall prey to the same malicious code. If you don't know how it works, or how coding works, please just don't post on this.
        evilkillerwhale@...
  • Even without 3rd party apps, iPhone is a security disaster

    Jobs told us that he was restricting our freedom because it would make us more secure. Funny how there has never been a single piece of "in the wild" malware on Windows powered mobile phones yet the iPhone, without [b]any[/b] of Windows Mobile's extensibility, is already a security nightmare. Good job Apple! Sure glad I held off on buying the iPhone. It was the right decision.
    NonZealot
    • oh please

      Wah Wah Wah. I'm sure you held off buying because of security...I doubt price or product maturity had nothing to do with your decision. Meanwhile, the media has been talking bluetooth virusus on mobile phones for years...hacking is hacking
      m101581