Quantcast
RSS
Security July 16, 2007 5:00 PM

Security Firm: Don't Use iPhone Web Dialer

By Robert McMillan, IDG News Service

Security researchers at SPI Labs Inc. are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone's Safari browser.

People who read this also read:

The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused.

Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said.

"Because this vulnerability can be launched from Web sites, everybody who has an iPhone has the potential to get exploited," Hoffman said

In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious Web site or make a legitimate Web site send untrustworthy information to the iPhone using what's known as a cross-site scripting attack. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists," Hoffman said.

SPI is not releasing detailed information on how the Web dialing feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said. Apple could not be reached immediately for comment.

Because Apple is encouraging software developers to write Web applications for the iPhone that use Safari, the browser has come under particular scrutiny from iPhone hackers.

Researchers had previously noted that Safari could be used to misdial numbers, but Hoffman's post suggests that this could be done more easily than previously thought.

Not everybody thought the SPI findings were groundbreaking, including Dave Aitel, chief technology officer with Immunity Inc. "If you can make calls from the Web browser, you can make fake calls from the Web browser," he said via instant message.

So should iPhone users stop using the Web to place calls? "Yes," said Aitel. "If they know a lot of hackers and are a special target."

Was this article useful? Yes 0 No 0

Read more like this: , , ,

Add Yours

Comments Readers reply with their ideas and expertise.

Subscribe to this discussion via email or RSS

  • What do you think?

  • Great year-end deals
    for small business!

  • Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!

    Learn more

  • HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!

    Learn more

  • *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
Business News Daily

Get the latest technology news that's important to you and your business, fresh seven days a week.

Featured Webcasts
More webcasts »

Free Whitepapers

Software and Services Whitepapers from PC World

More whitepapers »

Whitepaper Alerts

Get updates on white papers, case studies, and spotlights on tech products and solutions for your business.

PC World's Marketplace

Sponsored Links