Click-to-Call Bug Found in iPhones

Attackers could stick users with 900 number calls due to a bug that might also afflict other browser-enabled phones.

A security firm is warning iPhone users not to use the Safari browser to dial telephone numbers because of a bug that could allow attackers to stick victims with a phone bill full of pricey 900-number calls.

The bug likely isnt unique to Apples iPhone, but the most popular device of the moment is the one that SPI Labs chose to check out.

"Its possible a similar type of issue applies to Treos or Windows Mobile devices," the company wrote on its blog post.

Respondents to the post suggested that built-in browsers in other phones, such as BlackBerrys or those from Nokia, are also susceptible given that they provide the same functionality of calling a number from a Web page.

The touch-to-dial function on an iPhone allows the user to dial any phone number displayed on a Web page simply by tapping it. Attackers could use the function to perform a number of malicious actions. As quoted from SPI Labs post, attackers can exploit the bug to:

  • Redirect phone calls placed by the user to different phone numbers of the attackers choosing
  • Track phone calls placed by the user
  • Manipulate the phone to place a call without the user accepting the confirmation dialog
  • Place the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
  • Prevent the phone from dialing

Such attacks could be launched from a malicious site, from a legitimate site with cross-site scripting vulnerabilities, or as part of a worms payload.

Among other things, an attacker could discover a mobile phone users calls to escort services, could trick a target into dialing any phone number without giving consent, or could lock a phone, forcing the victim to either make a call or hard-reset the phone and possibly suffer data loss as a result.

/zimages/5/28571.gifClick here to read about hackers claims that they will soon be able to cut users ties to Cingular wireless service.

SPI Labs reported the problem to Apple on July 6 and is working with the company to fix the problem. The Labs R&D team hasnt yet investigated how other smart phones handle telephone number/Web browser integration but told eWEEK it plans to do so in the future.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.