iPhone's Safari dialing feature can be hacked
Intended to be a convenience, the unique dialing feature included in the iPhone version of the Safari browser might soon become a nightmare.
SPI Labs' lead researcher Billy Hoffman says that the feature that is designed to dial any number displayed on a Web page after a user taps it is subject to various attacks, including cross-site scripting and drive-by downloads. This issue was first reported to Apple on July 6, but Hoffman believes the "unique urgency" and its potential to affect a large number of people warranted public disclosure.
Potential uses of this vulnerability cited by Hoffman include the ability to redirect free calls to fee-based phone numbers, track phone calls, manipulate the confirmation screen to place a call even if a user doesn't accept, place a phone in an infinite loop where the only escape is to turn off the phone or prevent the phone from dialing.
In a blog, Hoffman offers a few real-world scenarios. "For example, an attacker could determine that a specific Web site visitor "Bob" has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such as a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob's phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss."
Until Apple resolves these issues, SPI Labs recommends avoiding the feature in Safari that allows iPhone users to make calls by not tapping phone numbers on a Web page.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
being jackasses by hacking this crap, we wouldn't have to waste so
much money on security and software patches.
It seems like a big deal to you now...
me...it'll get plugged quickly enough through software update,
so if somebody out there owns one of these babies, check for
software updates regularly if you haven't setup automatic
downloading.
consequently, my biggest gripe about software updates on
machines other than Mac, is that they don't include any "roll up"
updates...mini service packs from M$ would be good, especially
when you're clean installing the XP SP2 OS, it takes FAR too long
to get back to base. if i'm that bothered, it's very straight
forward to do a Mac clean install, without losing data or unique
file links.
i haven't worried about issues like this since 1984, the iPhone
will be no different and no amount of scare mongery will change
that.
It's not really hacking the phone at all. Just pointing out a vulnerability due to the nature of the device.
A good reminder to people browsing online to be think before you click.
- Firefox Security Flaws Simultaneously Announced
- by verbalvoodoo July 18, 2007 4:39 PM PDT
- When Firefox or IE announce the 10th security update of the week to address issues -- it's just routine.
- Reply to this comment
-
(14 Comments)No screaming. No running around in hysteria.
It's just, "Another update issued. FYI." Followed by a big yawn.
Insert the word iPhone and OH MY GAWD! THE IPHONE IS THE BIGGEST SECURITY THREAT EVER!!!!
Just a little bit of a double standard perhaps?
Can you home laptop be hacked?
Yup.
is it possible to hack the iPhone.
Yup.
So the iPhone is no better or worse security wise than ANY computer?
S'funny. You wouldn't get that impression from the article.