Protect yourself from SSH-based iPhone worms

The internet has been ablaze with reports of jailbroken iPhones being infested with worms. The exploit takes advantage of unwitting jailbreakers who install OpenSSH on their iPhones via Cydia without taking into account all of the impacts on security. The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password for both the all-powerful "root" user as well as the more-restricted "mobile" user.

Not surprisingly, Apple has officially commented on the situation noting that "the worm affects only a very specific set of iPhone users who have jail broken[sic] their iPhones and hacked it with unauthorized software." It is pretty clear from Apple's statement their feelings on the jailbreak community and its effects on the iPhone and iPod touch.

Luckily, if you need to have OpenSSH installed on your iPhone (who doesn't want a remotely-accessible, full UNIX terminal in their pocket?), there is a pretty simple solution to this problem that will prevent this breed of infestation from ever reaching your iPhone.

Remember, this only affects jailbroken iPhone owners who have installed OpenSSH...
Begin by installing MobileTerminal via Cydia (alternately, you can login via SSH from Terminal.app or a Cygwin-equipped Windows PC).
Type "login", you will be asked for a login name which should be "root" then a password which should be "alpine".
Type "passwd" then tap return, you will be asked to type the new password. Tap return and type the new password again.

Repeat this same process for the "mobile" user by replacing "root" with "mobile" in step 3. Also, when using passwd to change the password for "mobile" you may be asked the old password which would be "alpine". It is not necessary to use a different password for "root" and "mobile" but if you're highly security conscious, it wouldn't hurt. The second half of this post includes a screen image of my exact process working successfully on OS 3.1.2 with an iPhone 3GS.

In addition to changing the user passwords for your iPhone, another good security measure is to use one of the jailbreak apps like BossPrefs or SBSettings to have a toggle that will disable SSH when not in use. Obviously, having SSH disabled (or not installed) is the best defense against worms of this sort. Got any other iPhone security tips? Let us know in the comments!

View Tags

Source: http://www.tuaw.com/2009/11/07/jailbreak-worm-rickrolls-the-…

Categories

Security iPhone Jailbreak/pwnage

The internet has been ablaze with reports of jailbroken iPhones being infested with worms. The exploit takes advantage of unwitting...

Add a Comment

Sign in »

25 Comments

Filter by:

scottoeh

Here isanothrr good reference.
http://iphoneyap.com/showthread.php?t=621

November 25 2009 at 11:29 PM Report abuse Permalink rate up rate down Reply

CitrusBlog.net

Here is also a very good and simple way (for everyone) to protect your iPhone:

http://www.citrusblog.net/?p=183

November 25 2009 at 5:31 PM Report abuse Permalink rate up rate down Reply

IanC

Or, maybe, just maybe... DON'T JAILBREAK YOUR IPHONE.

And mainstream sites shouldn't be talking about this sort of crap.

November 24 2009 at 11:49 AM Report abuse Permalink rate up rate down Reply

For those that have never jailbroken, it should be stated that right after the jailbreak process it actually tells you REMEMBER to CHANGE THE PASSWORD. And Cydia has a FAQ about how to do it. I recall seeing it first thing after doing it on my last phone (though that phone is gone and I have not done it since with new phones). And these warnings and FAQ's were listed way before all this hit the news.

November 24 2009 at 8:52 AM Report abuse Permalink rate up rate down Reply

djhworld

People who say "just don't jailbreak your phone - problem solved!" are probably a bit naive to what jailbreaking actually means. For me it means opening up my device, that I have bought, to a whole host of new applications and tweaks that make my iPhone experience all the more enjoyable.

I also think that people who slate others for not changing the default password are being a bit pretentious and elitist. Some tutorials for changing things like application icons and wallpapers require you to have SSH access into your iphone so you can transfer files/images and so on. People who might be a bit uninitiated to the realm of SSH and Unix probably don't know that there is a passwd command to change the default password.

The easiest solution for me was to change the password and only use SSH when I need it (using SBSettings to toggle SSH to off for the rest of the time)

November 24 2009 at 8:27 AM Report abuse Permalink rate up rate down Reply

Aaron

Odd. I thought the reason that viruses where not written for the Mac where because of "security through obscurity". I never realized, but there must be more jail broken iPhones then Mac computers, to make writing a virus worth while.

November 23 2009 at 11:35 PM Report abuse Permalink rate up rate down Reply

kentawilson

You can unlock the phone without installing cydia. Just use blackra1n. Install snow and uninstall blackra1n. I did it. The only problem I've run into is not being able to use Youtube.

November 23 2009 at 10:33 PM Report abuse Permalink rate up rate down Reply

tuaw.20.eitan

"The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password"

Huh? Hole in what theory?

November 23 2009 at 10:09 PM Report abuse Permalink rate up rate down Reply

nikster

I have an app called Toggle SSH. Free on Cydia, just turn ssh off.

November 23 2009 at 8:42 PM Report abuse Permalink rate up rate down Reply

2 replies to nikster's comment

mark

However when your SSH is on you are vulnerable. This doesn't solve the root of the problem, no pun intended.

November 23 2009 at 9:22 PM Report abuse Permalink rate up rate down Reply

nikster

Granted, but why would I ever turn SSH on? I keep it off.

November 23 2009 at 10:53 PM Report abuse Permalink rate up rate down Reply

Ryan Hamsher

I have seen a lot of comments with this...

Just don't jailbreak. Simple. Easy.

Well how usefull. Such quality input. How much of your life is now forfilled by typing that comment.

Let me just say that there is a percentage of iPhone owners that are stuck in a must unlock situation.

My case for example is I have moved from the UK to Australia. I still want to use the iPhone that I legitimately own. Oh but here is a thought, I simply cant do that for some unknown reason!

November 23 2009 at 8:19 PM Report abuse Permalink rate up rate down Reply

4 replies to Ryan Hamsher's comment