Filed under: Hardware, Security, iPhone, Jailbreak/pwnage
New jailbroken iPhone worm is malicious
Last month a Dutch iPhone user demonstrated how careless jailbreaking can cause trouble. Namely, after finding users who enabled SSH with the phone's default password intact, he sent those phones a message that read, "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files." A similar worm caused phones to rickroll their owners.They could have done worse. This week, someone has. Again from the Netherlands and again finding jailbroken iPhones with SSH enabled, F-secure reports that this infraction puts up an ING Direct login page that lets the hacker gather login credentials and, we assume, move funds to wherever they please. This version also changes the 'alpine' password to block users from getting to the phone via SSH.
We'll have more on this as the story develops, but the moral is this: If you jailbreak your iPhone, you should know what you're doing -- and you should change your SSH password.
[via Engadget & ZDnet Asia]


![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 2)
oliver hart said 12:47PM on 11-23-2009
A nice TUAW tutorial on how to change your SSH password would be nice.
BTW-Love the 3G winterboard icon
Reply
Oliverbender said 1:59PM on 11-23-2009
Your kidding right? Ever heard of GOOGLE "Oliver" You must be a lazy F__K and have mommy still tie your shoe laces for you.
Hold my hand please I am going to jail break my iPhone and want someone else to waste there time because of your laziness.
If your dumb enough to jail break and take all the precautions than you deserve to have your credentials taken
Brian said 2:31PM on 11-23-2009
Oliverbender-
chill out
Dan Woods said 2:36PM on 11-23-2009
How to Secure your Jailbroken Phone:
Don't Jailbrake it in the first place unless you know what your doing you Freaking Moron!
Mentok said 2:56PM on 11-23-2009
My answer to you is NO. An emphatic NO.
If you don't know what SSH is, why it is enabled on JB'd phones, and the hows and whys of basic iPhone security, then it's not the job of [maybe] an equally clueless journo to teach you.
You either have to teach yourself, or should beg off of Jailbreaking entirely.
This is a GREAT article because it does two things: 1/ It describes what the problem is and does not sensationalize, unlike today's post in TIRED. and 2/ It explicitly discourages clueless twats *cough* end users from Jailbreaking.
Unless you're a hacker or a dev learning the internals of the iPhone you have no business doing or asking anyone to jailbreak your iPhone.
There's an AppStore. Most of you could care less about internals or Unix. And there's a LOT of bad guys out there. So leave the security of your iPhone, and its fate to Apple Computer Inc.
Recently I had to rebuild my iPhone. I'm a Dev in training. It still took me 2 hours just to get the phone back to the way it was, WITH Apple technology AND my own backup regimen.
-Drunken Economist
http://mindtaker.blogspot.com/
http://twitter.com/drunk_economist
N900 said 12:55PM on 11-23-2009
People are really gonna exploit the hell out of this now. Change your SSH password people, or switch to TD bank. Whatever works best for ya =].
Reply
colouroflight said 12:59PM on 11-23-2009
Isn't there a howto for this *prominently displayed when you open Cydia, and in the OpenSSH package listing* ?!
Reply
Izzy said 1:11PM on 11-23-2009
Yes it is and there was an article on TUAW linking to a site with instructions on how to change the PW. I never installed SSH after JB.
Mike said 1:04PM on 11-23-2009
I know I am the odd man out.... but Apple and the press largely blame this problem on jailbreakers who enabled ssh without changing the password. But what if this had been a vulnerability in some more basic apps on the iPhone that led to unprivileged access. Isn't the fact that Apple left a stupid (alpine, seriously?) make it just as at fault? Why Apple chose to keep a root account enabled, and with a static password is beyond me.
They should have a random generation occur as part of the firmware installation process.
Reply
Izzy said 1:13PM on 11-23-2009
SSH, by default is not installed by jailbreaking. You have to install it.
Dan Woods said 2:42PM on 11-23-2009
On a non-Jailbroken phone:
If there did turn out to be a vulnerability in an Apple-Authorised App, Apple have the ability to disable the offending App remotely until a fix can be rolled out. They can also alert users to any new software updates which fix these problems.
On a Jailbroken Phone:
All the security features which block unauthorised access to sensitive parts of the OS and User Data have been removed/disabled. That's the whole point of Jailbraking. You're on your own.
Mike said 3:30PM on 11-23-2009
I guess everyone missed my point: Apple uses a stupid default root password and they have some blame in distributing a system that uses easy default passwords and keeps the root account enabled.
renegad3 said 5:10PM on 11-23-2009
I hope your joking.
Apple didn't put this on ANY iPhone. The end-user did.
This exploit is NOT available on any iPhone EXCEPT one that a user jailbroke, then installed the application and DID NOT change the password installed with that application!
Please understand what it is before you comment.
Mike said 5:34PM on 11-23-2009
No, I'm not. If you think the iPhone is immune from flaws and remote code execution, you don't know its history. Protecting priviledged access is just as important on vanilla iPhones as it is on jailbroken iPhones. Keeping a root account enabled and with a stupid placeholder password is a basic system security oversight on Apple's part. If you knew about system security, you'd know an attack vector is only part of the reason for a security failure.
Dan Woods said 6:07PM on 11-23-2009
Re: the default root Password doesn't matter because (like Mac's) the root password is disabled.
The unauthorized SSH App re-enables the root account (which is straight away a bad idea) and installs an SSH server.
While the SSH App is an optional install and is only available to Jailbroken phones, it still unjustly reflects poorly on the platform as a whole.
Mike said 9:18PM on 11-23-2009
The fact that the root password is set (by Apple) as 'alpine' would generally assume the account was enabled. There is no need for a password (I don't mean blank) on an account with no working access. Additionally, It is my understanding that the ssh daemon doesn't enable root. You can see this on a jailbroken phone by installing a terminal application before installing ssh and using 'su'.
Jeff said 11:50AM on 11-24-2009
Mike, it looks like you're doing some real acrobatics here to try and make a point that doesn't really make sense.
If the phone isn't jailbroken, and SHH isn't installed, and the default password isn't changed, then there is no "exploit."
Mike said 12:01PM on 11-24-2009
I'm not an acrobat, nor have I changed my points:
user fail: installed ssh and didn't change password
exposing...
Apple fail: leaving root account enabled with simple password.
vandil said 1:13PM on 11-23-2009
Just like the hackintosh users who got screwed by 10.6.2 on their Atom systems, if you're going to play outside of the walls of the garden, you'd better have more than some Lifehacker tutorial and actually know what you're doing.
Too many non-technical people jailbroke their phones so they could tether, use video on non-3GS sets, and play emulators. None of them probably even know what SSH even is, let alone how to secure it.
You reap what you sow.
Learn your tech or just stay in the safety of the walled garden.
Reply
mark said 1:17PM on 11-23-2009
I've had a tutorial on using Open SSH on the iPhone and how to change your root and mobile passwords for a couple years now....
http://www.hackthatphone.com/3x/open_ssh.html
Reply