SPI Labs advises avoiding iPhone feature

Published 16 July 07 03:40 PM | Billy 

The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: 

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
  • Tracking phone calls placed by the user
  • Manipulating the phone to place a call without the user accepting the confirmation dialog
  • Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Preventing the phone from dialing 

These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. 

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss. 

SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems. However, SPI Labs recognizes the unique urgency of these issues and the large number of people that could be affected. As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.

Filed under: , ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Mike Rose said on July 16, 2007 5:28 PM:
Don't Windows Mobile 5, Blackberries, and Treos also all allow you to click phone numbers in the browser? Or am I misremembering?
# Zero Day Security said on July 16, 2007 6:34 PM:

Security experts with Web application testing specialists SPI Dynamics say they have identified a flaw in the iPhone's browser tools that could be utilized by hackers to track a user's calls or prevent their device from dialing at all.

# Sam said on July 16, 2007 9:04 PM:
Could you please clarify: When the iPhone goes to the "Phone" page, does this attack cause the displayed number (at the top of the screen) to be incorrect?
# Tom said on July 17, 2007 2:17 AM:
This one is pretty silly, the same thing can be accomplished on most browsers with a simple Javascript alert() loop: "Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone" while(1) alert("haha"); There. Also, you can "force quit" any iPhone app by holding down the home button for about 5 seconds. I'd be interested to hear about the others though.
# John at myITforum.com said on July 17, 2007 6:54 AM:

Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them

# Shashank said on July 17, 2007 8:33 AM:
Hi Billy, built in browsers in nokia phones also provide similar functionality of calling a number from a web page. Does that mean that these phones are also suspectical to similar attacks?
# akalias said on July 17, 2007 9:41 AM:
I discovered this myself 2 days after the release of the iphone. Was even thinking of setting up a 900 number for iDummies. Below is one variant [html] [head] [title]Iphone Autodial[/title] [script type="text/javascript"] function autoClick() { var dial=document.getElementById('dial'); dial.click(); } [/script] [/head] [body onload="autoClick();"] [form method="GET" action="tel:1-312-555-5555"] [input type="submit" id="dial" value="dial" style="display:none"/] [/form] [/body] [/html]
# Pecos Bill said on July 17, 2007 11:55 AM:

Alas, this hole is likely due to the compartmentalized development that Apple did to maintain secrecy. One hand only had partial knowledge of the other. No wonder Leopard was delayed so they could finish the iPhone. How unfortunate.

Let's hope Apple has a security release in < 3 weeks if true to Mac releases or, even better, one much sooner as it should be.

# rogerr said on July 17, 2007 1:20 PM:
If this feature is found on other phones, why just publicize iPhone, a tiny percentage of the phones out there with similar capability? Could it be just to generate buzz for SPI, and it has nothing to do with anyone actually succeeding with this ploy on any other phone, much less iPhone? Methinks so.
# Billy said on July 17, 2007 1:25 PM:
Just to answer a few questions: 1-It's not a buffer overflow. 2- SPI has only investigated the iPhone. Its possible a similar type of issue applies to Treos or Windows Mobile devices 3-One of the many flaws allows making the phone dial numbers that other than the number appearing in the confirmation box. Sorry Akalias, its not that simple :-)
# Billy said on July 17, 2007 1:32 PM:
Tom: I agree with you that while(1) {alert('screwed')} is a lame Denial of Service. In fact, thats why modern browsers like IE 7/Firefox 2 pop a dialog saying allowing the user to kill the script. Opera has a checkbox on every dialog allowing the user to kill a script. I assure you this is not the DoS we are discussing.
# TheOzz said on July 17, 2007 1:42 PM:
This functionality has been available on the Palm Treo for at least a couple of years. I have never heard a concern for this functionality on the Treo with the Blazer browser. Is the vulnerability specifically with the iPhone, the Safari browser, or with this type of dial from browser functionality in general?
# TheOzz said on July 17, 2007 1:47 PM:
Billy...Sorry for the redundant point. You answered my question by stating that you have only tested the iPhone. I started the comment before lunch when there were only two comments posted. I came back and finished the comment without refreshing the browser.
# Histrionic said on July 19, 2007 8:24 AM:
I would like to see this tested on a Treo and other phones that have this functionality in their browsers. It seems only fair — and even with whatever the iPhone sales numbers are, there are probably more of these other smartphones in the wild right now. Plus, I can tell you that it's a PITA to update my Treo — and it doesn't really matter whether that's due to Palm or the carrier. If the iPhone is as easy to update as an iPod … well, a lot more iPhones will get patched than Treos. (I can't speak for BlackBerries or other devices.)
# T said on July 19, 2007 2:27 PM:

Only fair? Test the other phones yourself. There's no rule that a researcher has to go after every product is there?

For years, Windows based products have been hammered (and rightfully so) while Apple products were ignored - was that "fair"? Researchers have warned for a long time that when Apple products reach a critical level of popularity, they will get drastically increased scrutiny, and likely more flaws will be found. Guess what - that day arrived the day the iPhone shipped. Let the whining begin. . . oops, too late.

# cheapcigar said on November 6, 2007 10:31 PM:
Very nice this blog =)
# HP Security Labs Advisories said on November 30, 2007 8:09 AM:

Summary The Apple iPhone version 1.0.0 web browser has a special feature that allows the user to dial

# Internet Business Training Program said on March 30, 2008 4:13 PM:

Many people want to learn SEO but they think it is too difficult.

Leave a Comment

(required) 
(optional)
(required) 

About Billy

Billy Hoffman is the lead researcher for SPI Labs.