Researchers Warn iPhone Owners Not To Use Web Dialer - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Researchers Warn iPhone Owners Not To Use Web Dialer

Using the phone's Safari browser to make calls could let attackers track the user's calls, prevent calls from being made at all, or redirect calls to 900-numbers.

A security company is warning iPhone users to avoid using a feature that lets users make phone calls over the Web using the phone's Safari browser.

The feature can be used by attackers to track the user's calls or redirect the user's intended call to a number the attacker chooses, according to Billy Hoffman, the lead researcher at SPI Labs. A flaw in the feature also enables attackers to put the iPhone in an infinite loop where it continues to try making calls until the user actually turns the device off. It also can prevent the Apple device from dialing all together, he added in a blog advisory.

"These types of attacks can be launched from a malicious Web site, from a legitimate Web site that has Cross-Site Scripting vulnerabilities, or as part of a payload of a Web application worm," wrote Hoffman. "For example, an attacker could determine that a specific Web site visitor 'Bob' has called an embarrassing number, such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent, such as a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob's phone, forcing Bob to either make the call or hard-reset his phone, resulting in possible data loss."

Hoffman also noted that researchers at SPI Labs reported the flaw to Apple on July 6 and are working with Apple to fix the problems.

SPI Labs is recommending that iPhone users don't use the built-in Safari browser to dial telephone numbers until Apple resolves the issues.

Apple's iPhone was released on June 29 amid a furor of anticipation and speculation. The device is a combination of a music player, a video player, a Web browser, and a phone.

Last month, researchers at IBM's security division, Internet Security Systems, said the frenzy that had been swirling around the iPhone's release means many hackers will be inspired to try to hack into it. On the positive side, though, they also said it will take a sophisticated hacker to actually break into the iPhone.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll