Security firm warns against iPhone’s web dialer

Posted by Humphrey Cheung

Atlanta (GA) – Security researchers at SPI Dynamics say the Apple iPhone’s web dialer is vulnerable to exploits.  According to a blog written by SPI’s Billy Hoffman, users could be tricked into dialing seemingly legitimate numbers, only to have their calls redirected to toll numbers.  Even worse, Hoffman says criminals could cause your iPhone to temporarily stop working.

The flaw exists in the iPhone’s Safari web browser and how it handles phone numbers.  Users can dial phone numbers inside of web pages by tapping on the number, but this ease-of-use feature could be exploited by attackers.  Hoffman says code can be written to redirect the calls to 900 numbers which can charge $10 to $20 per call.  Redirected calls could also set up some interesting phishing scenarios – you think you’re calling a bank in Boston, but the other person on the line is in Russia.

Attackers could also be much meaner and place your phone into an infinite loop, continuously calling the same number, according to Hoffman.  He adds that the iPhone is also vulnerable to a denial of service-like attack which would prevent the phone from dialing which would require a system reset to recover from.

SPI says that it reported the bug to Apple on July 6th and adds that it “recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues”.

While what Hoffman says definitely sounds scary, it’s helpful to note that web dialable phone numbers aren’t new to the iPhone and several applications hook into web pages and allow the some functionality.  Skype, as an example, has a feature that automatically recognizes web-page phone numbers and allows for easy dialing.

iPhone users also have to be tricked into going to a suspicious web page and then clicking a number on the page.  So at first glance, a reasonably intelligent and alert person shouldn’t have anything to worry about.