An easy way how United States 911 emergency response system could be hacked. iOS WebView bug can force iPhones to generate calls while user interface freezes. This is a critical security problem that has been found in iOS 10.

This is a critical security problem that has been found in iOS 10. It is not a new problem in design, but somewhat one that has reemerged. The bug can auto-dial numbers and lock the user out so that they can not terminate the call.

Security specialist Collin Mulliner found out a first variation of this issue in 2008, affecting Apple's mobile Safari browser, which the Cupertino technology giant fixed with the release of iOS 3.0. The researcher took another look at his bug over the past two weeks, after the latest arrest of an Arizona teenager who exploited a similar bug and accidentally caused a flood of hang-up calls to 911 emergency call centers around the US.

A group of researchers say they've found a way to effectively disable the 911 emergency system across an entire state for an extended period of time by simply launching what's known as a TDoS attack, or telephony denial-of-service attack, against 911 call centers.

The tactic includes infecting mobile phones to cause them to automatically make bogus 911 calls - without their owners' knowledge - thereby obstructing call-center queues and stopping legitimate callers from connecting with operators.

Because call centers and routers around the USA often operate at near capability under normal conditions, increasing the volume of calls by just a small percent can overwhelm them, said Mordechai Guri, head of R&D at the university's Cyber Security Center and chief scientist at Morphisec Endpoint Security.

The researchers say it would require just 6,000 infected smartphones in a geographic area - something hackers could easily accomplish - to launch an attack sufficient to disrupt the 911 system throughout the entire state of North Carolina, and just 200,000 infected phones dispensed across the U.S. to significantly disrupt 911 services around the nation.

WebView, where the bug appeared, is an application program interface (API) that helps programmers to open websites within their app rather than opening in an external browser.

Twitter, LinkedIn, Facebook, or Pocket, use this component to open hyperlinks inside their iOS apps, without launching an external browser like Safari, Firefox, or Chrome. APIs are useful tools for including features in an application without having to program that feature by hand.

As such, it is sometimes difficult to know what bugs and glitches the API might cause.

The issue is in how the WebView element handles telephone links (TEL URIs such as tel:< phone number >< phone number >) embedded in web pages.

If the user clicks on the link, in WebView, the phone instantly call the number. If the attacker directs the user to a page that uses a meta-refresh tag to reload the page with a new URL, of the number he wants to dial, the phone automatically dials the phone number, even if the user clicked on a seemingly innocent link.

"If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. Apple should change the default behavior of WebViews to exclude execution of TEL URI's and make it an explicit feature to avoid this kind of issues in the future," Mulliner said at his blog.

What do you think?