Atlanta (GA) – Security researchers at SPI Dynamics say the Apple iPhone’s web dialer is vulnerable to exploits.  According to a blog written by SPI’s Billy Hoffman, users could be tricked into dialing seemingly legitimate numbers, only to have their calls redirected to toll numbers.  Even worse, Hoffman says criminals could cause your iPhone to temporarily stop working.

The flaw exists in the iPhone’s Safari web browser and how it handles phone numbers.  Users can dial phone numbers inside of web pages by tapping on the number, but this ease-of-use feature could be exploited by attackers.  Hoffman says code can be written to redirect the calls to 900 numbers which can charge $10 to $20 per call.  Redirected calls could also set up some interesting phishing scenarios – you think you’re calling a bank in Boston, but the other person on the line is in Russia.

Attackers could also be much meaner and place your phone into an infinite loop, continuously calling the same number, according to Hoffman.  He adds that the iPhone is also vulnerable to a denial of service-like attack which would prevent the phone from dialing which would require a system reset to recover from.

SPI says that it reported the bug to Apple on July 6th and adds that it “recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues”.

While what Hoffman says definitely sounds scary, it’s helpful to note that web dialable phone numbers aren’t new to the iPhone and several applications hook into web pages and allow the some functionality.  Skype, as an example, has a feature that automatically recognizes web-page phone numbers and allows for easy dialing.

iPhone users also have to be tricked into going to a suspicious web page and then clicking a number on the page.  So at first glance, a reasonably intelligent and alert person shouldn’t have anything to worry about.

Reasonably Intelligent....

Jul 17, 2007 14:20     

"Reasonably intelligent" is SO subjective. Could have used "cautious person" or "security aware". You cant call a person that has been tricked - "unintelligent" even though I know that's basically what you wanted to say. Our technology advanced faster than the general public can learn about precautions or security awareness regarding the use of new technologies.
Eeto report abuse vote down vote up Votes: +0

Network Analyst

Jul 17, 2007 14:35     

However, a reasonably intelligent and alert person would not have purchased a 'dog and pony show' phone that is untested in the wild and vulnerable to hackers without first having given it time to mature first! That's akin to running out and purchasing a beta copy of LongHorn and putting it right into production on your most critical hardware, the very same day! TheOctagon
TheOctagon report abuse vote down vote up Votes: +0

Come on Octigon

Jul 17, 2007 16:31     

How's the view from your corner office in Redmond? Talk about propaganda jezus....
Univac report abuse vote down vote up Votes: +0

?Univac

Jul 17, 2007 18:14     

Corner office at Redmond? The person bashed Apple and M$.
KAL report abuse vote down vote up Votes: +0

Putting the Phone in front of the i

Jul 17, 2007 18:35     

The more successful the iPhone becomes, all the more formidable shall be the defense. Redirected calls is old school childspaly. Quite a growing lineup of heavy hitters have IP to protect. Phonei call insurance anyone? (yawn).
Faith-Is Enough report abuse vote down vote up Votes: +0

Grow up Univac

Jul 18, 2007 06:06     

I hate how every single time any one says anything remotely bad about Apple people start screaming "It's a Microsoft person at Redmond pretending to be a regular commenter" Holy crap grow up, the people at Microsoft surely have better things to do, like make billions of dollars or fix all the stupid security holes. They don't have time to play with retards like yourself. Any btw, iPHONE sucks, OCEAN rules. Get use to it.

Whatdafxup report abuse vote down vote up Votes: +0