You’d better watch out if you use your iPhone Safari browser to place calls. It turns out that there’s a vulnerability in it that can allow hackers to redirect the calls.
The problem was discovered by SPI Dynamics. The Safari browser on the iPhone had a touch screen feature that allows the user to call a number of a web site simply by tapping it. Hackers can install malware that redirects the call to an expensive 900 number, for instance. But there’s also the possibility of worse things.
“For example, an attacker could determine that a specific Web site visitor ‘Bob’ has called an embarrassing number such as an escort service,” Billy Hoffman of SPI wrote in a blog. “An attacker can also trick or force Bob into dialing any other telephone number without his consent, such [as] a 900-number owned by the attacker or an international number.”
Along with redirecting and tracking calls made by the user, the vulnerability means the phone can be manipulated to make a call without the user accepting the confirmation dialogue, can be placed in a loop of trying to make calls, so that turning the phone off is the only way to end it, and the phone can also be prevented from dialing.
For now, SPI is advising people not to use the feature on Safari. They reported the problem to Apple on July 6, and work is underway to find a fix.
By its nature, it’s not a critical problem, but still needs to be fixed, and is one of many that will inevitably pop up in the iPhone, whose popularity makes it such a target for hackers. The root password and the password for the mobile account password have already been unlocked.
