Evil Hack Discovered on Apple s iPhone

Evil Hack Discovered On Apple's IPhone

By Dan Morrill
Expert Author
Article Date: 2007-07-17

SpiLabs has identified an Apple IPhone hack that will allow someone to either own your phone, put it in an infinite loop, or otherwise jack up your phone bill by repeatedly calling 1-900 numbers, and you bet, it is all based on the vulnerabilities found in safari.

The hacks identified by SpiLabs basically cover these areas

Redirecting phone calls placed by the user to different phone numbers of the attacker's choosing

Tracking phone calls placed by the user

Manipulating the phone to place a call without the user accepting the confirmation dialog

Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone

Preventing the phone from dialing

Source: SpiLabs

The whole process takes place by the ability to call a number that is embedded in a web page. By using a malicious site, or a site that has a vulnerability to cross site scripting the attacker will be able to do the above functions depending on how and what the attackers choice is.

There are financial and privacy implications involved in this process, one you normally do not want your phone calls tracked by someone random (what a great way to get valid phone numbers), nor do you really want your phone shut down, or the financial burden of calling 1-900 numbers randomly throughout the night and day.

Worst yet, is that this would be a company IPhone and they want to know why you were calling those escort services, and other truly evil things that could be done when someone owns your phone.

SpiLabs recommends that this feature be disabled until apple comes up with a patch for it, and given that the ideas above just scratch the surface, there are probably a lot more evil things that could be done.

Comments

About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.