Dialling web number could be bad for iPhone health

Stan Beer
Wednesday, 18 July 2007 05:48

Your IT - Mobility

iPhone owners should be wary of a feature that is available through the built-in Safari browser of Apple's new device because it could allow attackers to hack in to the phone and gain control of calls, according to a security alert.

The alert from security firm SPI Labs advises users to avoid a feature of iPhones that allows a user to dial any phone number displayed on a web page simply by tapping the number. According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off.

According to SPI Labs, an attack could be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm.

A serious possible consequence of inadvertently tapping a number on a hacked ste is described by SPI Labs in its advisory:

"For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss."

SPI Labs states that it reported the security vulnerability to Apple on July 6 and is working with the company to resolve the issue. However, to date Apple has neither acknowledged the alleged problem or issued a public advisory.

SPI Labs is advising iPhone users not to dial numbers through Safari until the issues are resolved.