Exploit that Caused iPhones To Repeatedly Dial 911 Reveals Grave Cybersecurity Threat, Say Experts

Ben Lovejoy, writing for 9to5Mac: We reported back in October on an iOS exploit that caused iPhones to repeatedly dial 911 without user intervention. It was said then that the volume of calls meant one 911 center was in 'immediate danger' of losing service, while two other centers had been at risk -- but a full investigation has now concluded that the incident was much more serious than it appeared at the time. It was initially thought that a few hundred calls were generated in a short time, but investigators now believe that one tweeted link that activated the exploit was clicked on 117,502 times, each click triggering a 911 call. The WSJ reports that law-enforcement officials and 911 experts fear that a targeted attack using the same technique could prove devastating. Of the 6,500 911 call centers nationwide, just 420 are believed to have implemented a cybersecurity program designed to protect them from this kind of attack.

bug bounty

[TimMD909]

How does someone "accidentally" release something that will repeatedly call 911 on thousands and thousands of phones? Sounds like the creator is full of bullshit or stupid beyond comprehension.

Re:bug bounty

Ben Lovejoy, the article author, is known for sensationalist journalism. It's a click-bait piece, like everything else he writes.

hasn't apple patched it by now?

[known_coward_69]

and since most IOS users are on the latest version how is this still a problem?

Re:hasn't apple patched it by now?

[DontBeAMoran]

Most iOS users are on the latest version that's available for their iPhone model, unless they've heard the latest release will make their current iPhone slower - which happens a lot.

Re:hasn't apple patched it by now?

Oh yeah, I'm going to install iOS 10 on my iPhone 4 - NOT!

Re:hasn't apple patched it by now?

[johnsie]

Nice conspiracy theory there.You really think they would intentionally slow phones down just to get sales? How about maybe the the software runs slowly because it because being designed for newer hardware often means that it uses more resources.

Re:hasn't apple patched it by now?

[Mashiki]

It likely isn't a conspiracy theory. Nvidia seems to do something like this with graphics drivers and old video cards. Where AMD equivalents weren't suffering the same generational loss even with newer drivers. In many cases the AMD cards improve more even further in the cards lifetime. Ex: A 670 is approx to a 7950-7980. Today with the newest drivers it struggles to hold against a 7750, where that same 7950 in some cases is at the level of a 680.

Re:hasn't apple patched it by now?

[CastrTroy]

Are there statistics on this? I know a lot of people who aren't on the most recent release either because they are too worried that their phone will slow down or because they can't clear off enough free space on their phone to undergo the upgrade process.

Re:hasn't apple patched it by now?

[93+Escort+Wagon]

Most iOS users are on the latest version that's available for their iPhone model, unless they've heard the latest release will make their current iPhone slower - which happens a lot.

Four-year-old iPhones are still upgradable to the latest version of iOS.

If you're going to claim that there's a huge number of iPhones which are intentionally not being upgraded, you should probably provide some sort of citation.

Re:hasn't apple patched it by now?

[sims+2]

Can confirm was running ipad 2 with 6.1.3 now running ipad 4 with 6.1

I hate the iOS 7 and above UI and it's significantly faster at most tasks than newer models that are up to date.
Also in the newer versions the safari JavaScript toggle is in a sub sub menu by itself for no reason.
I'll eventually upgrade to an ipad pro 9.7 or a windows tablet I haven't decided yet the lack of flash suppot on the ipad is still a pita but the on screen keyboard integration of windows is crap then again if I go with windows I could have an actual wired keyboard that wouldn't go the "quick brown fox jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjumped over the lazy dooooooooooooooooooooooooooooooooooooog"
Like the current Bluetooth keyboard cases do that and the startup & resync delay make them totally unusable for me.

Re:hasn't apple patched it by now?

[tlhIngan]

Oh yeah, I'm going to install iOS 10 on my iPhone 4 - NOT!

Considering the iPhone 4 was released sometime in ... 2010, it might be worthwhile to upgrade. 7 years of improvements (there's more years ahead of it than behind it - as the first iPhone came out in 2007).

And last I saw, 90% of users were running some form of iOS 10, with 9.5+% using iOS9 The remaining 0.5% were left as "other" (iOS 8 and below).

Re:hasn't apple patched it by now?

[ChunderDownunder]

I guess that's one of the strengths and weaknesses of Android.
You no longer get vendor updates after a year or so but the community help out.

I use a 4 year old handset with a new battery. Thanks to Lineage OS it runs the latest Android as smoothly as it ever did.

Re:hasn't apple patched it by now?

[Paradise+Pete]

Are there statistics on this?

Yes there are. 95% on at least the penultimate version, with the vast majority of those on the latest version.

Re:hasn't apple patched it by now?

[ChunderDownunder]

That model looks generationally underspecced (512MB) to run a modern OS.
e.g. when MS promised to upgrade all the 8.x Lumias to Windows 10, they revised that to only ones with a gig of RAM.
To that extent, maybe upgrading isn't advisable.

Re:hasn't apple patched it by now?

[CastrTroy]

Yeah, kind of what I expected. It still shows 1 in 5 people aren't on the newest version, which is not insignificant. Probably not anywhere near as bad as Android, but still not as good as I would hope.

Re:hasn't apple patched it by now?

[antdude]

I am still using an iPhone 4S. :P

Re:hasn't apple patched it by now?

[ayesnymous]

What I've experienced is that if I go one major upgrade beyond the iOS that came with the iPhone then that's fine. However, if I try to upgrade to the next major version beyond that, then the iPhone will be too slow.

Re:hasn't apple patched it by now?

[Paradise+Pete]

Probably not anywhere near as bad as Android

Yes, the Android situation is much different. I presume this is carrier indifference more than user indifference. One good thing about the Apple situation is that Apple does not give the carriers any control. And of course the manufacturer control is also not an issue, obviously.

DDOS 911

[Big+Hairy+Ian]

One wonders if this was coordinated with a specific crime or if it was just a demonstration and they are selling to the highest bidder?

Re:DDOS 911

[Paradise+Pete]

or if it was just a demonstration and they are selling to the highest bidder?

There's not much to sell. It's a single line of HTML. It was fixed in 2008, but somehow briefly resurfaced in iOS 10. Its fixed now.

420 departments?

all in WAshington state and Colorado, I assume

Not an exploit

This is not an exploit. It is an app that asks for the user to give it permission to make phone calls, which the user grants. Then the app calls 911.

There is nothing about iOS that is "exploited" to make this happen. The only thing that is exploited is user stupidity, which should come as no surprise given that education is the least important priority in the US.

Re:Not an exploit

[ColdWetDog]

The only thing that is exploited is user stupidity, which should come as no surprise given that education is the least important priority in the US.

- Stupid is world wide. It is a human experience. It is not part of American Exceptionalism.

- You can never beat the stupid out of people. Whenever you feel you've made progress, the Universe wops you on the head. Stupid always wins.

- Stupidity and education are orthogonal concepts. You cannot educate your way out of stupidity.

- Murphy was an optimist.

Re:Not an exploit

All hogwash. The fundamental problem is lack of education, which is perpetuated by the entrenchment of white male privilege which serves itself by keeping women and minorities oppressed. White men basically create the undereducated classes that are victims of social exploitation. It's convenient for the white male power class to create a class of victims, blame them for their own victimhood, and then hook them with the promise of delivering them from their victimhood, which that power class created in the first place.

America and Christianity are two very good examples of this type of oppressive rule through the promise of salvation.

Re:Not an exploit

[ChunderDownunder]

What version of Android are you using?
Lineage OS (nougat) has a feature called privacy guard that explicitly asks you when an app wants to access resources.

Re:Really serious

[johnsie]

What if christians or atheists did? After all they do kill more Americans than the muslims.

Not just 911 at risk

[davidwr]

Imagine a robo-call-DDOS attack on certain lawmakers' phones during a crucial debate, denying those lawmakers input from consituents?

Imagine an attack on a company, either to force them to spend money they wouldn't have to spend, to embarrass them, or to distract them from doing things that would compete with another company in which you ("you" being a corrupt person, company, or government) has an interest in.

Re:Apple no better at security

[MachineShedFred]

It's true that they inherited a good security design from BSD, but they did some of their own thinking and it was one example of where the engineers and architects actually convinced Steve Jobs he was wrong - having a protected Applications folder, and requiring privilege escalation to install software. He thought they were nuts at the time, but in an interview much later he recounted how Avie Tevanian convinced him that it was necessary, and that Jobs was immensely thankful that he did.

Re:Ever try to dial 911 in a city on the weekend?

[dgatwood]

I had the same problem while trying to call in a wreck on California's SR 17. I gave up trying to call 911 when a volunteer firefighter happened to come upon the scene and after verifying that everybody was okay, called it in on his radio. If you can't rely on critical safety systems to actually work in a real emergency, then what's the point of even having them? From an outsider's perspective, our 911 system appears to be a train wreck and should probably be scrapped outright and replaced with something entirely different.

I have a solution

[slashmydots]

Just block all iphone based called from the 911 system permanently. In fact, block all AT&T customers too. They're not worth the resources.
(This post is a joke btw, just in case you're an idiot)

DDoS protection

[manu0601]

just 420 are believed to have implemented a cybersecurity program designed to protect them from this kind of attack

How can they protect against a DDoS? I assume the protection must let legitimate call pass through, but how can they be recognized?

Re:Apple no better at security

[MachineShedFred]

Run an install of a PKG without putting in a password, or run something that you just downloaded from the internet without being prompted about it (unless you specifically disabled that check, in which case you deserve to be exploited.)

Hint: it won't let you.