iPhone 911 Bug: Security Flaw In iOS WebView Allows Hackers To Dial Numbers While Locking User Out

The iPhone 911 Bug is a serious security issue that has been discovered in iOS 10. It is not a new flaw in design, but rather one that has reemerged. The bug can auto-dial numbers and lock the user out so that they cannot cancel the call. In 2008, a similar flaw in iOS Safari was triggered which tied up 911 call centers across the United States.

Apple patched the bug in Safari, but it has shown up again, this time in WebView. WebView is an application program interface (API) that allows developers to open web pages within their app rather than opening in an external browser. TechRadar cites the Twitter and LinkedIn apps as using the function, but several other apps use WebView as well. APIs are useful tools for including features in an application without having to program that feature by hand. Unfortunately, as such, it is sometimes difficult to know what bugs and glitches the API might cause.

Additionally, it can be difficult to tell when WebView has been invoked. It is challenging because Apple has tried to make the user interface as seamless as possible in iOS 10. By quietly opening web pages in Chrome or Safari, Apple has created the illusion that web pages are opening within the app, rather than in an external browser.

null

This new change looks very similar to WebView and can make it hard to tell if the web page is open in a browser or WebView. However, by double tapping the home button, users can see what programs are open, and the one on the far right will always be the currently running app. If that application is the one that they were using, then the page is in WebView. There is also a small indication in the upper left corner that offers to go back to the app that was in use before the browser opened.

The seriousness of the iPhone 911 Bug cannot be overlooked. TechRadar notes that it is possible for a malicious party to use the vulnerability to tie up phone lines in a distributed denial-of-service (DDoS) attack. A DDoS attack against the 911 emergency system is an obvious problem, but any call center could be targeted and virtually shut down by a huge volume of calls. They could also use the exploit to have phones dial 900 numbers to bilk money from unsuspecting users.

Collin Mulliner, a tech who discovered the bug, claims on his blog that he thinks he knows how it works. It happens because of the way that WebView handles embedded telephone numbers. When Safari or Chrome encounter embedded numbers, a dialog box pops up and asks users if they would like to dial the number. When WebView encounters embedded phone numbers, it automatically dials them without asking.

In and of itself, this is not a problem. The problem occurs when the web page that has the embedded number is programmed to refresh over and over again. As WebView reloads rapidly, it essentially ties up the interface, and the user cannot use the touchscreen. Since the touchscreen becomes unresponsive, the call cannot be canceled.

Under normal circumstances, the iPhone 911 Bug will not affect the iPhone in this way as web pages are not usually programmed to refresh continually. A programmer has to intentionally design the page in this way for the exploit to work.

Mulliner has informed Apple, Twitter, and LinkedIn of the flaw, but notes that the bug is not limited to these two applications.

“One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible. The Twitter and LinkedIn iOS apps are vulnerable (other apps might be vulnerable too).”

The solutions to fix the iPhone 911 Bug are straightforward, if not simple. From Apple’s standpoint, the fix is the same as it was for Safari back in 2008; add a confirmation dialog when WebView wants to dial a number. For Twitter and LinkedIn or any other app, the WebView API should be removed or disabled until Apple can patch the vulnerability. As a user, there are a few ways to reduce the risk of falling victim to the security hole.

First, be careful of opening web links within applications. Be sure that the application does not use WebView. Users can check this by opening a known safe link and then looking at the running application to see what app opened the link. Since the bug seems only to exploit the touchscreen interface, a couple of hardware tricks may subvert the bug’s attempt to dial.

null

First, users who do encounter the bug can try double clicking the home button. Doing this may interrupt the WebView reloading process and allow the user to slide the offending app off the screen to shut it down. Users may also try turning off the iPhone before the number has completed dialing. Neither of these methods have been tested. Therefore it is unknown how effective they are at thwarting the iPhone 911 Bug and should only be used as a last resort. It is safer just to be vigilant and cautious.

As TechRadar warns, “Don’t click on strange links is the new don’t talk to strangers.”

[Featured Image by Lintao Zhang/Getty Images]