2008 iPhone Bug makes a comeback, forces iPhones to repeatedly call 911
A teenager from the United States was arrested circulating a Google shortened URL on Twitter which caused the iPhones to repeatedly dial the police control room on 911. The teenager, Meet Desai used a bug in iOS which made iPhones to repeatedly call 911.
The bug in action
The bug works after users click a link that forces an iPhone to dial a pre-determined number (like 911) and then refreshes the page or opens multiple apps in order to freeze the device’s user interface. This makes it almost impossible to cancel the call. The bug was discovered by security researcher Colin Mulliner found and reported an intriguing bug to Apple.
The bug uses <A HREF=”tel:+911″>Call now</A> link parsed in Safari or other browsers to make the iPhone make repeated calls to 911. The tricks discovered by Mulliner included placing a telephone URL in an IFRAME, using a phone number as the target of a web page refresh or redirect, and altering the URL of an already-loaded page using JavaScript. The URL circulated by Meet caused havoc in some parts of US when users clicked the unsuspecting link and caused a flood of calls to 911 Police control room. The 911 call center received a hundred calls “in a matter of minutes” according to statement by Maricopa County Sheriff’s office.
Apple fixed the bug after Mulliner reported it in 2008 but surprisingly it has resurfaced in iOS 10. Mulliner discovered the bug when Apple had released iOS 3 and the subsequent iOS releases up to iOS 9 were not affected by it. But now Meet Patel discovered that the bug can be exploited in iOS 10 and made the shortened link given above which makes iPhones repeatedly call 911.
According to Mulliner’s blog, Hiteshbhai heavily used JavaScript to leverage iPhones to redial specific numbers. However, exactly how the teen did it will not be revealed for security reasons.
The issue lies within a browser component called WebView. The WebView components mishandle telephone links of TEL URIs embedded in web pages making the smartphone automatically dials numbers if the link was clicked in WebView. Attackers can set any number of their choosing and make people’s phones dial those.
Apple’s fix for Safari makes the browser confirm via a pop-up, if the user wants to make the call. However, Twitter and LinkedIn have yet to address the issue, at least publicly.
