SPI Labs advises avoiding iPhone feature - The HP Security Laboratory Blog -
The HP Security Laboratory Blog » SPI Labs advises avoiding iPhone feature
SPI Labs advises avoiding iPhone feature

The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: 

  • Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
  • Tracking phone calls placed by the user
  • Manipulating the phone to place a call without the user accepting the confirmation dialog
  • Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Preventing the phone from dialing 

These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. 

For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss. 

SPI Labs researchers reported these issues to Apple on July 6 and are working with Apple to remediate the problems. However, SPI Labs recognizes the unique urgency of these issues and the large number of people that could be affected. As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues.

Posted 07-16-2007 3:40 PM by Billy
Filed under: ,

Comments

Mike Rose wrote re: SPI Labs advises avoiding iPhone feature
on 07-16-2007 5:28 PM
Don't Windows Mobile 5, Blackberries, and Treos also all allow you to click phone numbers in the browser? Or am I misremembering?
Zero Day Security wrote Researchers point to iPhone security risk
on 07-16-2007 6:34 PM

Security experts with Web application testing specialists SPI Dynamics say they have identified a flaw in the iPhone's browser tools that could be utilized by hackers to track a user's calls or prevent their device from dialing at all.

Sam wrote re: SPI Labs advises avoiding iPhone feature
on 07-16-2007 9:04 PM
Could you please clarify: When the iPhone goes to the "Phone" page, does this attack cause the displayed number (at the top of the screen) to be incorrect?
Tom wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 2:17 AM
This one is pretty silly, the same thing can be accomplished on most browsers with a simple Javascript alert() loop: "Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone" while(1) alert("haha"); There. Also, you can "force quit" any iPhone app by holding down the home button for about 5 seconds. I'd be interested to hear about the others though.
John at myITforum.com wrote Security experts warn against iPhone web dialer
on 07-17-2007 6:54 AM

Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them

Shashank wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 8:33 AM
Hi Billy, built in browsers in nokia phones also provide similar functionality of calling a number from a web page. Does that mean that these phones are also suspectical to similar attacks?
akalias wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 9:41 AM
I discovered this myself 2 days after the release of the iphone. Was even thinking of setting up a 900 number for iDummies. Below is one variant [html] [head] [title]Iphone Autodial[/title] [script type="text/javascript"] function autoClick() { var dial=document.getElementById('dial'); dial.click(); } [/script] [/head] [body onload="autoClick();"] [form method="GET" action="tel:1-312-555-5555"] [input type="submit" id="dial" value="dial" style="display:none"/] [/form] [/body] [/html]
Pecos Bill wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 11:55 AM

Alas, this hole is likely due to the compartmentalized development that Apple did to maintain secrecy. One hand only had partial knowledge of the other. No wonder Leopard was delayed so they could finish the iPhone. How unfortunate.

Let's hope Apple has a security release in < 3 weeks if true to Mac releases or, even better, one much sooner as it should be.

rogerr wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 1:20 PM
If this feature is found on other phones, why just publicize iPhone, a tiny percentage of the phones out there with similar capability? Could it be just to generate buzz for SPI, and it has nothing to do with anyone actually succeeding with this ploy on any other phone, much less iPhone? Methinks so.
Billy wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 1:25 PM
Just to answer a few questions: 1-It's not a buffer overflow. 2- SPI has only investigated the iPhone. Its possible a similar type of issue applies to Treos or Windows Mobile devices 3-One of the many flaws allows making the phone dial numbers that other than the number appearing in the confirmation box. Sorry Akalias, its not that simple :-)
Billy wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 1:32 PM
Tom: I agree with you that while(1) {alert('screwed')} is a lame Denial of Service. In fact, thats why modern browsers like IE 7/Firefox 2 pop a dialog saying allowing the user to kill the script. Opera has a checkbox on every dialog allowing the user to kill a script. I assure you this is not the DoS we are discussing.
TheOzz wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 1:42 PM
This functionality has been available on the Palm Treo for at least a couple of years. I have never heard a concern for this functionality on the Treo with the Blazer browser. Is the vulnerability specifically with the iPhone, the Safari browser, or with this type of dial from browser functionality in general?
TheOzz wrote re: SPI Labs advises avoiding iPhone feature
on 07-17-2007 1:47 PM
Billy...Sorry for the redundant point. You answered my question by stating that you have only tested the iPhone. I started the comment before lunch when there were only two comments posted. I came back and finished the comment without refreshing the browser.
Histrionic wrote re: SPI Labs advises avoiding iPhone feature
on 07-19-2007 8:24 AM
I would like to see this tested on a Treo and other phones that have this functionality in their browsers. It seems only fair — and even with whatever the iPhone sales numbers are, there are probably more of these other smartphones in the wild right now. Plus, I can tell you that it's a PITA to update my Treo — and it doesn't really matter whether that's due to Palm or the carrier. If the iPhone is as easy to update as an iPod … well, a lot more iPhones will get patched than Treos. (I can't speak for BlackBerries or other devices.)
T wrote re: SPI Labs advises avoiding iPhone feature
on 07-19-2007 2:27 PM

Only fair? Test the other phones yourself. There's no rule that a researcher has to go after every product is there?

For years, Windows based products have been hammered (and rightfully so) while Apple products were ignored - was that "fair"? Researchers have warned for a long time that when Apple products reach a critical level of popularity, they will get drastically increased scrutiny, and likely more flaws will be found. Guess what - that day arrived the day the iPhone shipped. Let the whining begin. . . oops, too late.

cheapcigar wrote re: SPI Labs advises avoiding iPhone feature
on 11-06-2007 10:31 PM
Very nice this blog =)
HP Security Labs Advisories wrote iPhone Call Manipulation
on 11-30-2007 8:09 AM

Summary The Apple iPhone version 1.0.0 web browser has a special feature that allows the user to dial

Internet Business Training Program wrote Internet Business Training Program
on 03-30-2008 4:13 PM

Many people want to learn SEO but they think it is too difficult.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems