July 16, 2007
Security firm: Don't use iPhone Web dialer
SPI Labs warns that the iPhone's ability to dial phone numbers using the Safari browser is vulnerable to several attacks
1 RecommendationSecurity researchers at SPI Labs are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone's Safari browser.
The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused.
[ Blog: Researchers point to iPhone security risk ]
Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said.
"Because this vulnerability can be launched from Web sites, everybody who has an iPhone has the potential to get exploited," Hoffman said
In order for the attack to work, the bad guys would have to either trick iPhone users into visiting a malicious Web site or make a legitimate Web site send untrustworthy information to the iPhone using what's known as a cross-site scripting attack. "Any time someone could control the content that's getting sent to the iPhone [the possibility of an attack] exists," Hoffman said.
SPI is not releasing detailed information on how the Web dialing feature could be exploited, but the company contacted Apple on July 6 and is working with the iPhone maker to prevent these types of attacks, Hoffman said. Apple could not be reached immediately for comment.
Because Apple is encouraging software developers to write Web applications for the iPhone that use Safari, the browser has come under particular scrutiny from iPhone hackers.
Researchers had previously noted that Safari could be used to misdial numbers, but Hoffman's post suggests that this could be done more easily than previously thought.
Not everybody thought the SPI findings were groundbreaking, including Dave Aitel, CTO with Immunity Inc. "If you can make calls from the Web browser, you can make fake calls from the Web browser," he said.
So should iPhone users stop using the Web to place calls? "Yes," said Aitel. "If they know a lot of hackers and are a special target."
White Paper
D2D Virtual Tape Library Replication Primer
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
White Paper
An Alternative to Virtualization for Datacenter Cost Savings
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
White Paper
Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
White Paper
Bringing the Edge to the Data Center
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
- Positioning Disk and Tape in a Disk-to-Disk-to-Tape Solution | White Paper
- Log Management: How to Develop the Right Strategy for Business and Compliance | White Paper
- The Essential Series: Security Information Management | White Paper
- Aberdeen: Choosing and Consuming Managed Security Services | White Paper
- Effectively Integrating Wireline and Wireless Services for Seamless Communication | White Paper
Sign up to receive Hardware Resource Alerts
See how AT&T can help protect your network. Make IT Work As One at novell.comHP ProLiant G6 Servers. Perform like a superstar, Save like an accountant.HP ProLiant G6 Servers. Perform like a superstar, Save like an accountant.Unified Communications: Thoughts, Strategies and Predictions. Join the discussionOptimize Linux* for high performance and energy efficiency on Intel® architectureSee how Intel is working across the Open Source ecosystem to help drive rapid technological innovationKeep your IT expertise up to date. Join the Intel Premier IT Professionals. Increase UPS efficiency without sacrificing protectionIn less than 45 minutes, Palisade Systems protects your data
Today’s IT means business. New eBook shows you how to align your IT investments.A new level of interoperability. Make IT Work As One at novell.comLimited-time offer: Save up to $100 on Polycom phones. 64-page prescriptive guide to security, compliance, and IT operations.Drive innovation with Intel and Open Source softwareLinux Contributions and Support from IntelLearn about Foundations of Green IT, from CTO Marty PoniatowskiTDWI checklist helps define data readiness for analytics. Download report.<802.11n Drives an Architectural EvolutionSee IBM CloudBurst's self-service user interface in action
