Apple's iOS 10.3 fixes flaw used in accidental DDoS attack on 911 call system

Posted:
in iPhone
Apple's latest iOS 10.3 release patches a flaw that can be used to repeatedly dial a phone number, accidentally exploited last year to redial 911 call centers, protecting emergency operators from potential cyberattacks.




As noted by The Wall Street Journal, the vulnerability was first discovered by an 18-year-old in Arizona who took advantage of a JavaScript flaw in a bid to collect a bug bounty last year.

Last October, Meetkumar Hiteshbhai Desai, acting on a tip about a potential iOS flaw, wrote and shared code that caused target iPhones to continually dial 911 emergency call centers. After the code went live, the Surprise, Ariz., Police Department received more than 100 hang-up 911 calls within a few minutes, local publication AZ Central reported at the time.

The Maricopa County Sheriff's Office traced the calls and discovered they originated from a link Desai posted to Twitter. Users who clicked the link would find their iPhone automatically dial emergency services. Due to the mass dissemination of the link, call volumes had the potential to shut down 911 services across Maricopa County, the Sheriff's Office said.

Desai, when taken in for questioning, said the code was crafted to trigger pop-ups, open emails and dial phone numbers. The Twitter distribution was meant to be funny. He was also interested in proving the flaw could be exploited to collect a bug bounty from Apple.

In previous versions of iOS, users who clicked on a phone number linked to in apps like Twitter and Messages would automatically trigger a call. With iOS 10.3, Apple has instituted a secondary confirmation to alleviate the potential for erroneous dialing. The new feature also restricts nefarious users from using the exploit to conduct cyberattacks.

Comments

  • Reply 1 of 4
    Shouldn't iPhone 5c phones have this fix as well to protect our emergency systems? For that reason alone, the update should be made available. (Or can iPhone 5c users now download iOS 10.3 over the air and I just missed that fact?)
  • Reply 2 of 4
    linkmanlinkman Posts: 1,035member
    Shouldn't iPhone 5c phones have this fix as well to protect our emergency systems? For that reason alone, the update should be made available. (Or can iPhone 5c users now download iOS 10.3 over the air and I just missed that fact?)
    Apple yanked the OTA update for the 5c. You currently have to connect it to iTunes. 

    Over-the-air iOS 10.3 update for iPhone 5, 5c pulled by Apple for reasons unknown

    https://forums.appleinsider.com/discussion/199379/
  • Reply 3 of 4
    macguimacgui Posts: 2,350member
    I'm unclear as to the use of 'accidental'. Did people who clicked on the Twitter link not know what would happen? Accidental makes sense in that case. But that's as far as it goes.

    The guy who wrote the exploit knew what he was doing:

    Desai, when taken in for questioning, said the code was crafted to trigger pop-ups, open emails and dial phone numbers. The Twitter distribution was meant to be funny. He was also interested in proving the flaw could be exploited to collect a bug bounty from Apple.

    So did someone else change it to dial 911?  Maybe AI had a more thorough explanation back in October and I missed it. I'll have to do some looking.


    I see- he 'mistakenly' posted the wrong script.
    http://thehackernews.com/2016/10/hacking-911-service.html

    edited April 2017
  • Reply 4 of 4
    linkmanlinkman Posts: 1,035member
    Shouldn't iPhone 5c phones have this fix as well to protect our emergency systems? For that reason alone, the update should be made available. (Or can iPhone 5c users now download iOS 10.3 over the air and I just missed that fact?)
    And now the OTA update for the 5c is back. http://forums.appleinsider.com/discussion/199449/
Sign In or Register to comment.