Yesterday SPI Labs, a division of SPI Dynamics, which sells a tool for web application security assessment among others, published a piece outlining security concerns for the iPhone's ability to dial numbers directly from Web pages using the tel: property (used by a number of sites, including some iPhone-optimized Web apps like goMovies). SPI says this leaves the iPhone open to various "attacks" including:
- Redirecting phone calls placed by the user to different phone numbers of the attacker's choosing
- Tracking phone calls placed by the user
- Manipulating the phone to place a call without the user accepting the confirmation dialog
- Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
- Preventing the phone from dialingÃÂ
With regard to the first purported attack, calling a number other than the one ostensibly linked: we've yet to see a trigger for the iPhone's link-based dialing mechanism that can bypass the built-in confirmation screen, which prompts the user to indicate that they actually want to call the number in question. However, in a follow-up posting, SPI's "Billy" says that the number displayed in this confirmation box can apparently be spoofed.
"One of the many flaws allows making the phone dial numbers that other than the number appearing in the confirmation box."
Also note that you can also tap and hold a link with the tel: property to reveal the linked number, though SPI may have found a way to spoof that as well.
With regard to the third point, triggering a phone call automatically when a web page is opened: we haven't found a way to make this work (in a malicious way) either. Security researcher Tom Ferris of Security Protocols, who has also been credited with discovering a bevy of serious security flaws affecting Mac OS X and other platforms created a page that will automatically trigger the iPhone's dial mechanism: http://security-protocols.com/poc/iphone-dial.html. However, the page still does spawn the confirmation box asking the user if they want to call the number.
Tom told us:
"I think a couple of the flaws are creative, but not really a major security risk. ÃÂ You still have to get a user to browse aÃÂ maliciousÃÂ page in order to get this to work."
Until we hear more about exactly how SPI is executing on these alleged security risks, the best policy is to not use the dialing mechanism on untrustworthy sites. It's not clear that any genuine security risk exists, however.