This was possible due to a flaw in iOS that would allow users to tap a phone number and immediately dial it. Desai’s software allegedly utilized this flaw—if one clicked on a malicious link from Twitter, they would dial 911 without even realizing. When weaponized, this could allow callers to repeatedly dial 911 without knowing, clogging up call centers and putting lives at risk.
Obviously, this was very bad. As a result, there is now a change in iOS 10.3 that requires users to always hit a confirmation before dialing a call can take place.
The Wall Street Journal, which also did an in-depth report on how the 911 attack took place, explains Apple’s approach to solving the problem:
Apple says it initially worked with app developers to fix the vulnerability, and this update will now prevent it from happening even on apps that hadn’t already fixed the issue.
Mobile carriers and phone makers are having to grapple with various attacks targeting the 911 system. Earlier this month, “ghost calls” made from T-Mobile phones flooded 911 call centers in Texas. That attack has been linked with two deaths; the cause of those attacks still isn’t known. AT&T customers also faced 911 outages in more than a dozen states this month.
The iOS update obviously fixes this specific problem, but larger infrastructural problems with the 911 system (and the lack of security to prevent automated attacks) still exist. The Journal reports that the Department of Homeland Security is working on ways to identify and block calls aimed at taking down the 911 system.[Wall Street Journal via Cult of Mac]