Apple released iOS 10.3 this week, and in addition to a new file system and a built-in “Find My AirPods” app, the new update also fixes a very important bug that could allow arseholes to robocall emergency services.
Back in October, 18-year old Meetkumar Desai was arrested after software he allegedly wrote — which allowed iPhones to continuously call 911 over and over again — resulted in attacks that overwhelmed emergency call centres across a dozen US states.
This was possible due to a flaw in iOS that would allow users to tap a phone number and immediately dial it. Desai’s software allegedly utilised this flaw — if one clicked on a malicious link from Twitter, they would dial 911 without even realising. When weaponised, this could allow callers to repeatedly dial 911 without knowing, clogging up call centres and putting lives at risk.
Obviously, this was very bad. As a result, there is now a change in iOS 10.3 that requires users to always hit a confirmation before dialling a call can take place.
Apple says it initially worked with app developers to fix the vulnerability, and this update will now prevent it from happening even on apps that hadn’t already fixed the issue.
Mobile carriers and phone makers are having to grapple with various attacks targeting the emergency call system. Earlier this month, “ghost calls” made from T-Mobile phones flooded 911 call centres in Texas. That attack has been linked with two deaths; the cause of those attacks still isn’t known. AT&T customers also faced 911 outages in more than a dozen US states this month.
The iOS update obviously fixes this specific problem, but larger infrastructural problems with the emergency call system (and the lack of security to prevent automated attacks) still exist. The Journal reports that the Department of Homeland Security is working on ways to identify and block calls aimed at taking down the system.