Lad cuffed after iOS call exploit knocks out Arizona 911 center
Meet's L337 feat brings heat
An Arizona teen is facing three felony tampering charges after the cops said code he wrote to exploit an iOS security hole downed a 911 call center.
According to the Maricopa County Sheriff's Office, 18-year-old Meetkumar ("Meet") Hiteshbhai Desai found a vulnerability in Apple's mobile operating system and crafted a proof-of-concept exploit to prove it. However, that tool wound up flooding an emergency call center with more than 100 hang-up calls within a "matter of minutes" earlier this week, it is alleged.
It all started when Desai and a friend found a way to remotely spawn pop-up alerts, open installed applications, or start a phone call on a victim's iThing, it is claimed.
Hoping to cash in on Apple's bug bounty program, the pair set up a webpage that exploits the flaw as their proof-of-concept, we're told. They then directed Desai's Twitter followers to click on a link to that booby-trapped page and, according to the police, launch the exploit from Desai's own website, meetdesai.com, which has since been taken down. Desai also, apparently, spread the link via his YouTube channel, "The Hackspot."
It's alleged that Desai's webpage caused phones to dial emergency numbers that the callers couldn't hang up. As a result, police say, those who clicked on the links unintentionally ended up flooding 911 centers in and around the Phoenix, Arizona, area with calls. Apparently, Desai meant to upload a script that simply opened a pop-up alert on the handhelds.
Desai describes himself as an iOS developer and a jailbreak theme tweaker.
"Meet stated that although he did add that feature to the bug he had no intention of pushing it out to the public, because he knew it was illegal and people would 'freak out'," the office said.
"Meet stated that he may have accidentally pushed the harmful version of the (911) bug out to the Twitter link instead of the less-annoying bug that only caused pop-ups, dialing to make peoples' devices freeze up and reboot."
The flood of calls from smartphones and tablets was eventually traced to Desai's personal site hosted in San Francisco, California; the cops managed to get the plug pulled on the site. The teen was arrested, taken to jail, and booked on three charges of computer tampering. A search warrant was also carried out at his home.
No word was given on whether he will be able collect the bug bounty from Apple. ®