Apple's iOS 10.3 fixes flaw used in accidental DDoS attack on 911 call system
Apple's latest iOS 10.3 release patches a flaw that can be used to repeatedly dial a phone number, accidentally exploited last year to redial 911 call centers, protecting emergency operators from potential cyberattacks.
As noted by The Wall Street Journal, the vulnerability was first discovered by an 18-year-old in Arizona who took advantage of a JavaScript flaw in a bid to collect a bug bounty last year.
Last October, Meetkumar Hiteshbhai Desai, acting on a tip about a potential iOS flaw, wrote and shared code that caused target iPhones to continually dial 911 emergency call centers. After the code went live, the Surprise, Ariz., Police Department received more than 100 hang-up 911 calls within a few minutes, local publication AZ Central reported at the time.
The Maricopa County Sheriff's Office traced the calls and discovered they originated from a link Desai posted to Twitter. Users who clicked the link would find their iPhone automatically dial emergency services. Due to the mass dissemination of the link, call volumes had the potential to shut down 911 services across Maricopa County, the Sheriff's Office said.
Desai, when taken in for questioning, said the code was crafted to trigger pop-ups, open emails and dial phone numbers. The Twitter distribution was meant to be funny. He was also interested in proving the flaw could be exploited to collect a bug bounty from Apple.
In previous versions of iOS, users who clicked on a phone number linked to in apps like Twitter and Messages would automatically trigger a call. With iOS 10.3, Apple has instituted a secondary confirmation to alleviate the potential for erroneous dialing. The new feature also restricts nefarious users from using the exploit to conduct cyberattacks.
As noted by The Wall Street Journal, the vulnerability was first discovered by an 18-year-old in Arizona who took advantage of a JavaScript flaw in a bid to collect a bug bounty last year.
Last October, Meetkumar Hiteshbhai Desai, acting on a tip about a potential iOS flaw, wrote and shared code that caused target iPhones to continually dial 911 emergency call centers. After the code went live, the Surprise, Ariz., Police Department received more than 100 hang-up 911 calls within a few minutes, local publication AZ Central reported at the time.
The Maricopa County Sheriff's Office traced the calls and discovered they originated from a link Desai posted to Twitter. Users who clicked the link would find their iPhone automatically dial emergency services. Due to the mass dissemination of the link, call volumes had the potential to shut down 911 services across Maricopa County, the Sheriff's Office said.
Desai, when taken in for questioning, said the code was crafted to trigger pop-ups, open emails and dial phone numbers. The Twitter distribution was meant to be funny. He was also interested in proving the flaw could be exploited to collect a bug bounty from Apple.
In previous versions of iOS, users who clicked on a phone number linked to in apps like Twitter and Messages would automatically trigger a call. With iOS 10.3, Apple has instituted a secondary confirmation to alleviate the potential for erroneous dialing. The new feature also restricts nefarious users from using the exploit to conduct cyberattacks.
Comments
Over-the-air iOS 10.3 update for iPhone 5, 5c pulled by Apple for reasons unknown
https://forums.appleinsider.com/discussion/199379/The guy who wrote the exploit knew what he was doing:
Desai, when taken in for questioning, said the code was crafted to trigger pop-ups, open emails and dial phone numbers. The Twitter distribution was meant to be funny. He was also interested in proving the flaw could be exploited to collect a bug bounty from Apple.
So did someone else change it to dial 911? Maybe AI had a more thorough explanation back in October and I missed it. I'll have to do some looking.
I see- he 'mistakenly' posted the wrong script.
http://thehackernews.com/2016/10/hacking-911-service.html