Security Flaw Can Reportedly Force iPhone To Make Automatic Calls
The easiest way for hackers to attack a system is to exploit a feature and use it to find loopholes into the system. There have been many attacks on Android-based devices where attacker would use a feature of Android to hack into the devices.
One such attack was made because of a feature in Android called Preferred Network Offload (PNO) that could be exploited to leak user’s location history. Another method to hack into devices was by using a feature Shared Memory in operating systems, which has been recently revealed by a team of researchers.
The latest feature of operating system that paves way to the hackers is found only in iOS. Apple has tried to make their iOS design as much user friendly as possible. But apparently the expense of user-friendliness is insecurity.
Apple has mentioned in its RFC that there is a feature in iOS called ‘tel’, which implements the functionality that when a user receives a phone number in webpage, iOS displays alerts asking user to confirm the action (to call or not to call). However, when the user receives a phone number in a native app, it doesn’t ask for confirmation instead it directly dials the number and calls right away as the user taps the phone number received.
The technique could be used to force phones to dial premium numbers where the victim would pay for the call charges, or by doing a dirty deal with the operator for making the user dial specific numbers. The attacker can send a disguised URL pointing to the code that would perform calls and user would not even be prompted.
Another attack could be launched using FaceTime. The user would be made to video-call the attacker’s number using FaceTime and the attacker would be able to take screenshots of the user and/or find out location of the victim.
Andrei Neculaesei, a security researcher and developer at AIRTAME, has demonstrated how this technique can be used on renowned apps like Facebook Messenger, Gmail and Google Plus. He argues that major app developers like Facebook and Google should have added confirmatory procedure in their apps but they have failed to do so, making their messaging and email apps vulnerable to such attacks.
However, Neculaesei has not provided a solution for this problem. iPhone users beware!