At the time one 911 centre nearly crashed under the weight of compromised iPhones ringing it and two others were close to melt-down. The Tame Apple Press played down the crisis because it did not matter if people died, it was more important that people bought iPhones. It was swift to blame Meetkumar Desai, the student who created the code as a proof of concept to claim a bug bounty from Apple. He claimed to have accidentally posted the version that called 911 when he meant to post a version that would generate a pop-up and freeze phones.
Desai has been charged with four felony counts of computer tampering, and hasn’t yet entered a plea. Other coverage focused on the 911 centres rather than the Apple coding.
A full investigation has now concluded that the incident was much more serious than it appeared at the time.
According to the Wall Street Journal, it was initially thought that a few hundred calls were generated in a short time, but investigators now believe that one tweeted link that activated the exploit was clicked on 117,502 times, each click triggering a 911 call.
Apple told the WSJ that a fix is on the way in a forthcoming system update to the iPhone will plug the loophole that made the attack possible.
The update will cause a “cancel” or “call” pop-up to appear on the iPhone screen, and users will be required to press “call” before the iPhone will dial.
It still insists that the premise of having your phone dial and reach a 911 operator quickly was critical to public safety.
“The dialling feature in this instance was intentionally misused by some people with no regard for public safety. To prevent further abuse, we’re putting safeguards in place and have also worked with third-party app developers to prevent this behaviour in their apps.”
But coppers and 911 experts fear that a targeted attack using the same technique could prove devas
Trey Forgety, director of government affairs at the National Emergency Number Association, a 911 trade group said that if this was a nation-state actor that wanted to damage or disable 911 systems during an attack, they could have succeeded spectacularly.
Basically if the North Koreans wanted to jam up US emergency services with bogus calls all they would have to do is target all the iPhones in an intentional attack. For example there are 23,000 calls per day in Chicago alone, which is rather a lot of emergencies which are not going to get answered. Even if a small percentage of them could lead to fatalities, the body count over a 24 hour period and nationwide would be rather large.
What is strange is that Apple has been sitting on fixing this flaw since October so clearly there is nothing to worry about.