2008 iPhone Bug makes a comeback, forces iPhones to repeatedly call 911
A teenager from the United States was arrested circulating a Google shortened URL on Twitter which caused the iPhones to repeatedly dial the police control room on 911. The teenager, Meet Desai used a bug in iOS which made iPhones to repeatedly call 911.
The bug in action
The bug works after users click a link that forces an iPhone to dial a pre-determined number (like 911) and then refreshes the page or opens multiple apps in order to freeze the device’s user interface. This makes it almost impossible to cancel the call. The bug was discovered by security researcher Colin Mulliner found and reported an intriguing bug to Apple.
Apple fixed the bug after Mulliner reported it in 2008 but surprisingly it has resurfaced in iOS 10. Mulliner discovered the bug when Apple had released iOS 3 and the subsequent iOS releases up to iOS 9 were not affected by it. But now Meet Patel discovered that the bug can be exploited in iOS 10 and made the shortened link given above which makes iPhones repeatedly call 911.
The issue lies within a browser component called WebView. The WebView components mishandle telephone links of TEL URIs embedded in web pages making the smartphone automatically dials numbers if the link was clicked in WebView. Attackers can set any number of their choosing and make people’s phones dial those.
Apple’s fix for Safari makes the browser confirm via a pop-up, if the user wants to make the call. However, Twitter and LinkedIn have yet to address the issue, at least publicly.