Topic: Mobility

Beware the iPhone/Safari dialer

Summary: One of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

By Ryan Naraine for Zero Day | July 17, 2007 -- 00:56 GMT (17:56 PDT)

Follow @ryanaraine

Beware the iPhone/Safari dialer One of the iPhone's most nifty features -- dialing any phone number by simply tapping on a Web page -- can be its most sinister.

[ SEE: The iPhone security non-story ]

Security researchers at SPI Labs says this feature can be exploited by hackers to pull off nefarious stunts like redirecting phone calls placed by the user to different phone numbers of the attacker's choosing; tracking phone calls placed by the user; tricking the phone into placing a call without the user accepting the confirmation dialog; or placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone.

GALLERY: How to run Apple's Safari browser securely

SPI Labs lead researcher Billy Hoffman, a Web application security specialist, warned that these types of attacks can be launched from a malicious website, from a legitimate website that has CSS (cross-site scripting) vulnerabilities, or as part of a payload of a web application worm.

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.

"SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues," Hoffman said.

Topic: Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments

Log in or register to join the discussion

Ouch

Thats really nasty.

I reckon thats probably the very first mobile virus that has the potential to affect large numbers of users and have an individually very high impact on those users.

It highlights the pit falls of tightly integrating the core features of a next gen phone with its extra functionality.

nmh
17 July, 2007 03:37

Reply Vote
- What virus are you talking about?
  
  "I reckon thats probably the very first mobile virus that has the potential to affect large numbers of users and have an individually very high impact on those users."
  
  That would be true if there actually was such a virus. This is all a 'what if' discussion. There is no virus that exploits this, only the potential to.
  
  And as I mentioned in another post here, lots of smartphones have had this feature for years, and the world didn't end. This is just misplaced FUD, but zdnet knows that anything iphone related draws eyeballs, so they run the article like its something specific to the iPhone.
  
  pir8matt
  17 July, 2007 06:58
  
  Reply Vote
- You are assuming
  
  1) it won't get fixed in a day or two.
  2) AT&T would not forgive the charges
  
  Both of which are higly likely, though obviously not a given. But I think #1 is
  going to be pretty easy to fix, and I really think AT&T is an interested party, even
  if they aren't spending anything on the iPhone ads yet (still pushing blackberry???).
  But now I am assuming AT&T isn't paying apple for it's iPhone ads, which feature
  both logos.
  
  Truth is, Apple has a huge new revenue stream via the cell phone contracts, a part
  of which goes to Apple.
  
  So, you think these two companies are going to let this get out of hand, just sit
  back and watch, ala, er, I dunno, Microsoft?
  
  comp_indiana
  18 July, 2007 06:24
  
  Reply Vote
have my doubts

the numbers are recognised by the iPhone, not through html scripts or other... when
the iPhone dials a number from a website, it shows the number it's going to dial...
have my doubts on this report.

Non-Zealand
17 July, 2007 04:54

Reply Vote
- Apple apparently doesn't
  
  From the SPI site referenced in Ryan's article:
  
  [i]SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems.[/i]
  
  I guess the only way we'll know for sure is if there is a new firmware release that covers it in the near(ish) future.
  
  nmh
  17 July, 2007 05:12
  
  Reply Vote
- But users don't pay attention
  
  Even if the phone shows the number, an inattentive user won't notice until it's too late. Look at how many phishing scams rely on a user not noticing that the URL displayed on the link is different from the one they are sent to.
  
  RichInNJ
  17 July, 2007 06:45
  
  Reply Vote
- Im skeptical of this one
  
  I have an iPhone and I've already used this feature. It prompts you and asks if you want to dial the number! Whats so hard to understand about that? Is it an international number that you didnt want to dial? Say 'dont dial'.
  
  Ooooo! Scary potential danger! Get real.
  
  pir8matt
  17 July, 2007 06:54
  
  Reply Vote
  - ..not to mention
    
    My old Treo 650 has had the same capability for years, and zdnet never wrote an article about its inherent insecurity.
    
    pir8matt
    17 July, 2007 06:55
    
    Reply Vote
  - Selective Reading
    
    Guess you dont read too well or you just selectively read!
    From the 2nd paragraph
    
    >Security researchers at SPI Labs says this feature can be exploited by hackers to pull off nefarious stunts like redirecting phone calls placed by the user to different phone numbers of the attacker?s choosing; tracking phone calls placed by the user; tricking the phone into placing a call without the user accepting the confirmation dialog; or placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone.<
    
    So much for saying "Don't Dial
    
    Stan57
    18 July, 2007 04:16
    
    Reply Vote
- Tell me about it.
  
  The phone is dialing the number not because the website is telling you it's a number in a link, but because the iPhone software is parsing the text displayed on the page and recognizing it for a phone number. I'd like to know how a piece of malware can redirect a phone call from a snippet of text displayed on a page.
  
  This is just more crabs in a bucket syndrome.
  
  What is that, you ask? Well, to keep crabs in a bucket, just put at least two of them in there. When any crab tries to climb out, the rest will pull him back in.
  
  frgough
  17 July, 2007 08:13
  
  Reply Vote
Again we see the damage that can be caused...

...by placing Apple sauce onto a stable (-ish) Unix variant.

Remember:

Mach + BSD + Apple sauce != good, fast or stable...

Scrat
17 July, 2007 04:55

Reply Vote
Out of curiosity

Is this an iPhone only thing, or are other "web phones" affected by this sort of thing?

zkiwi
17 July, 2007 06:40

Reply Vote
- Treo 650
  
  My Treo 650 and my Blackjack both had the 'dial from webpage' feature. Its nothing new.
  
  pir8matt
  17 July, 2007 06:59
  
  Reply Vote
  - Did you miss this part of the article?
    
    [i]tricking the phone into placing a call without the user accepting the confirmation dialog[/i]
    
    Would your Treo 650 and Blackjack place calls without you accepting the confirmation dialog?
    
    NonZealot
    17 July, 2007 07:04
    
    Reply Vote
    - neither does the iPhone (NT)
      
      NT
      
      Non-Zealand
      17 July, 2007 08:18
      
      Reply Vote
    - No, I sure didnt
      
      Theoretically, they could, which is exactly what this article is talking about (A theoretical possibility). There is no actual exploit, or did YOU miss that part of the article?
      
      pir8matt
      17 July, 2007 16:15
      
      Reply Vote
  - When Yes is the Right Answer 999 / 1000 Times
    
    Even with confirmation, there's a fatigue factor in that always answering yes to the
    same question means there will be a time when yes will be answered by mistake. I'm
    not sure what the answer to that one is. Cross-scripting javascript and browser
    issues may be addressed by updates to the browser code.
    
    DannyO_0x98
    17 July, 2007 07:23
    
    Reply Vote
  - jeez dude...
    
    prove it works the exact same code wise as the iPhone, and prove the treo can fall prey to the same malicious code. If you don't know how it works, or how coding works, please just don't post on this.
    
    evilkillerwhale@...
    17 July, 2007 17:28
    
    Reply Vote
Even without 3rd party apps, iPhone is a security disaster

Jobs told us that he was restricting our freedom because it would make us more secure. Funny how there has never been a single piece of "in the wild" malware on Windows powered mobile phones yet the iPhone, without [b]any[/b] of Windows Mobile's extensibility, is already a security nightmare. Good job Apple! Sure glad I held off on buying the iPhone. It was the right decision.

NonZealot
17 July, 2007 07:07

Reply Vote
- oh please
  
  Wah Wah Wah. I'm sure you held off buying because of security...I doubt price or product maturity had nothing to do with your decision. Meanwhile, the media has been talking bluetooth virusus on mobile phones for years...hacking is hacking
  
  m101581
  17 July, 2007 07:54
  
  Reply Vote