iPhone 911 Bug: Security Flaw In iOS WebView Allows Hackers To Dial Numbers While Locking User Out

Cal Jeffrey

The iPhone 911 Bug is a serious security issue that has been discovered in iOS 10. It is not a new flaw in design, but rather one that has reemerged. The bug can auto-dial numbers and lock the user out so that they cannot cancel the call. In 2008, a similar flaw in iOS Safari was triggered which tied up 911 call centers across the United States.

Apple patched the bug in Safari, but it has shown up again, this time in WebView. WebView is an application program interface (API) that allows developers to open web pages within their app rather than opening in an external browser. TechRadar cites the Twitter and LinkedIn apps as using the function, but several other apps use WebView as well. APIs are useful tools for including features in an application without having to program that feature by hand. Unfortunately, as such, it is sometimes difficult to know what bugs and glitches the API might cause.

Additionally, it can be difficult to tell when WebView has been invoked. It is challenging because Apple has tried to make the user interface as seamless as possible in iOS 10. By quietly opening web pages in Chrome or Safari, Apple has created the illusion that web pages are opening within the app, rather than in an external browser.

The seriousness of the iPhone 911 Bug cannot be overlooked. TechRadar notes that it is possible for a malicious party to use the vulnerability to tie up phone lines in a distributed denial-of-service (DDoS) attack. A DDoS attack against the 911 emergency system is an obvious problem, but any call center could be targeted and virtually shut down by a huge volume of calls. They could also use the exploit to have phones dial 900 numbers to bilk money from unsuspecting users.

Collin Mulliner, a tech who discovered the bug, claims on his blog that he thinks he knows how it works. It happens because of the way that WebView handles embedded telephone numbers. When Safari or Chrome encounter embedded numbers, a dialog box pops up and asks users if they would like to dial the number. When WebView encounters embedded phone numbers, it automatically dials them without asking.

In and of itself, this is not a problem. The problem occurs when the web page that has the embedded number is programmed to refresh over and over again. As WebView reloads rapidly, it essentially ties up the interface, and the user cannot use the touchscreen. Since the touchscreen becomes unresponsive, the call cannot be canceled.

Mulliner has informed Apple, Twitter, and LinkedIn of the flaw, but notes that the bug is not limited to these two applications.

"One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too)."

First, be careful of opening web links within applications. Be sure that the application does not use WebView. Users can check this by opening a known safe link and then looking at the running application to see what app opened the link. Since the bug seems only to exploit the touchscreen interface, a couple of hardware tricks may subvert the bug's attempt to dial.

As TechRadar warns, "Don't click on strange links is the new don't talk to strangers."

[Featured Image by Lintao Zhang/Getty Images]