The scheme, developed by an 18-year-old in Arizona, reportedly affected emergency call centers in at least 12 states and operated as simple Javascript code. Apple’s fix relies on a change in the behavior of certain links in iOS 10.3. Now, tapping that same URL will result in a prompt showing the number and asking the user whether to call, whereas before it would have automatically dialed 911.
Apple told the Journal it is working alongside third-party app developers to ensure the exploit never manifests itself again on iOS in any capacity. While the company’s commitment to resolving the vulnerability is reassuring, it doesn’t change the reality that the wide majority of the United States’ 6,500 emergency call centers are still unprepared for another attack of this magnitude. Just 420 of those stations are equipped with the necessary cybersecurity protections — the rest are as susceptible now as they were last year.
The site in question that housed the malicious link was believed to have seen about 117,000 page views. With many of those clicks each producing a call — sometimes more than one, depending on how many times the user allowed their phone to repeatedly dial 911 before shutting down — the link quickly incapacitated emergency centers across multiple states as it was shared and retweeted. A Washington Post report that narrowly predated the attack speculated it could take as few as 200,000 devices, evenly distributed across the country, to “significantly disrupt 911 services around the nation,” based on findings from a team of researchers in Israel.
