Filed under: Security, iPhone, Jailbreak/pwnage
Worm rickrolls unsecured jailbroken iPhones via SSH
For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.
This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:
Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again....The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.
Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:
Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.
That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.
Thanks, James!
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
snugs said 11:12PM on 11-07-2009
You can also just use SBSettings to turn ssh off
Reply
Justin said 11:57PM on 11-07-2009
That's what I was going to say. I turn it off unless I'm specifically using SSH for something.
J said 4:08PM on 11-08-2009
You can, but every time you re-boot your phone it turns back on.
It's just a good idea to change your password in general. You don't leave your router password to the default password, do you?
ywamer said 12:14AM on 11-08-2009
How do I find my iPhone's IP address? Somewhere in the settings menu?
Reply
LikeYeahWhatever said 8:55AM on 11-08-2009
If you have MobileTerminal installed (and who doesn't?) you can just login via "ssh root@localhost". That's what I just did. Beats getting out of bed :-)
zodttd said 12:23AM on 11-08-2009
Zod Tip: Changing the password for SSH is always a good idea, even if you don't normally have SSH enabled.
ywamer: You can find the IP address of your device in Setting.app and choosing WiFi then the arrow indicator for the connected wifi network. In there it lists your IP.
Reply
Monica Dickey said 12:43AM on 11-08-2009
That's the most awesome hack I've ever seen hahaha.
I feel guilty that Rick Rolls never get old to me.
Reply
JAQ said 11:03PM on 11-17-2009
To do a "proper" rickroll on an iPhone would involve transfering an MP3 of That Song into the its music library, so that it'll come up at random during shuffle play.
David Van (Cool Prizes Inc.) said 1:00AM on 11-08-2009
You can do it via terminal in your iPhone/iPod Touch!
Reply
russdogg said 1:51AM on 11-08-2009
I usually keep it off to save battery, but was still using the default. Thanks for the advice!!
Reply
Ryan said 9:54AM on 11-08-2009
Disabling it won't save battery life, sshd launches via xinetd. i.e. the daemon is not running until someone (hopefully you) makes a connection to port 22.
thomas said 4:06AM on 11-08-2009
After reading the interview I'm convinced JD is ikee. Writing style and all. Publicity stunt.
Reply
ikee said 6:55AM on 11-08-2009
@thomas
I can assure you I AM NOT JD, lol.
if you would like i can link you to our facebook pages that have been around for quite a while and you can see we look nothing alike :) (I'm much more sexy of course)
Simon said 4:20AM on 11-08-2009
i don't believe this guy is troublesome , all he does is change your homescreen if you are leaving you iphone open to threat ... more of a service i think .
Reply
DistortedLoop said 12:24PM on 11-08-2009
I know you're just being humorous, but it's never okay to access someone's computer and change things without their permission, even if the change is for the better - and RICK ROLLING is NEVER for the better.
Yung-Jyn said 6:25AM on 11-08-2009
I don't see how this could happen unless the user is on the same wifi network as the hacker.
No way it could happen on cellular networks.
Reply
ikee said 6:51AM on 11-08-2009
Actually it can happen pretty easily on Cellular networks a few providers provide direct access to the internet, the iphone not having a firewall and the service binded to all addresses means that any service you are running is available from the internet.
Secrecy said 7:01AM on 11-08-2009
What you say is true. But doesn't some providers lock down some ports on their networks. Also, could you find an IP address and the iPhone that uses it without the user revealing it to you through SBSettings.
SSH should really be turned off at all times except for file transfers. It really sucks up loads of battery life.
ikee said 7:14AM on 11-08-2009
I found most of the Australian network providers use shared IP's protecting the phones afaik from inbound attacks from the internet
packetwerks said 10:30AM on 11-11-2009
>No way it could happen on cellular networks.
Not true:
http://www.stratumsec.net/blog/2009/11/09/iphone-security-and-stratum-securitys-shmoocon-talk/