Filed under: Internet Tools, Security, iPhone
iPhone browser dialing found to be security threat
SPI Labs is claiming to have discovered a fairly significant threat to iPhone security due to MobileSafari's ability to dial phone numbers found on web pages. The feature can apparently be exploited in various ways, such as redirecting the actual call to a number other than what is viewed on the webpage, tracking calls placed by a site visitor, bypassing the confirmation dialog and forcing the call to continue and even preventing the phone from dialing calls altogether. Imagine clicking on a local number for a restaurant on a malicious website, only to discover you're actually calling an international number and, perhaps more importantly, paying international calling rates.While SPI Labs has rightly chosen not to disclose the actual nature of the exploit and how to perform it, they do state that they have alerted Apple and are cooperating to plug these holes. If these security threats worry you, SPI Labs recommends that users simply don't use this feature for now. Ultimately, it is probably a safe bet that Apple is working quickly to plug security issues like this and other bugs for a future software update that will be delivered (hopefully) soon.
Thanks Eliot!
Reader Comments (Page 1 of 1)
jpjunk.1 said 7:59PM on 7-16-2007
If you want to know exactly what number you're dialing, all you have to do is press hold down on a link. After that a little rectangle will appear telling you the title and URL of the link (or phone number).
Reply
David Chartier said 8:02PM on 7-16-2007
While I am, again, no security expert, I would wager SPI Labs considered that tap-and-hold feature into their tinkering. I know that with normal browsers it is possible to spoof this as well: holding your mouse over a link on a webpage can be faked to look like it links to anything the designer wants, and I would imagine it is this same, spoof-able mechanism used for the iPhone's link popup feature.
Reply
Tony said 8:39PM on 7-16-2007
I still loves me my iPhone.
Reply
David Chartier said 10:44PM on 7-16-2007
#4: Both in the SPI labs report and in my post, it's stated that this vulnerability can be exploited in a way that bypasses the dialing confirmation; this would remove any kind of prompt for the user.
Reply
TechspansionTyler Loch said 10:53PM on 7-16-2007
...doesn't the iPhone prompt you to dial the number before actually doing it when clicking a tel: link or phone-number-lookalike?
...and won't that be a dead giveaway?
Reply
bud said 11:19PM on 7-16-2007
Aren't the phone numbers DISCOVERED by iphone safari given a dotted underline? That is, they are discovered as listed on the page, but not written into the html or whatever, as a link.
So the iphone just parses a number into something that can be loaded into the dialer.
As it would have a dotted underline, It shouldn't in most circumstances even RESEMBLE a regular link. Who the hell puts "Hit This Link to Phone Us" links on a web page?
I think I had something that was not a phone number in my contacts from address book, that I had placed in a phone number field, and the iphone tried dialing that (not a valid number).
Someone could list a restaurant in google, and it would show up on a map, and maybe that would be a way someone would hit a phone link. A lot of bad info shows up in google map searches, as being fed from regular google where someone may have been menioning THAT business, and THIS address, and so on.
Reply
Tom said 4:24AM on 7-17-2007
It's trivial to spoof links on multiple levels. For example:
≤a href="http://www.apple.com" onclick="location='http://www.microsoft.com'; return true;"≥www.google.com≤/a≥
The link on the page looks like google.com, the link the shows up in the status bar is apple.com, but the link you actually get redirected to is microsoft.com.
However, I don't think this is what SPI Labs found. Even with that type of spoofing, the iPhone will ask you if you want to dial the actual number it was about to dial.
They either found a more sophisticated problem, or are full of shit.
Reply