Filed under: Security, iPhone, Jailbreak/pwnage
Protect yourself from SSH-based iPhone worms
The internet has been ablaze with reports of jailbroken iPhones being infested with worms. The exploit takes advantage of unwitting jailbreakers who install OpenSSH on their iPhones via Cydia without taking into account all of the impacts on security. The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password for both the all-powerful "root" user as well as the more-restricted "mobile" user.Not surprisingly, Apple has officially commented on the situation noting that "the worm affects only a very specific set of iPhone users who have jail broken[sic] their iPhones and hacked it with unauthorized software." It is pretty clear from Apple's statement their feelings on the jailbreak community and its effects on the iPhone and iPod touch.
Luckily, if you need to have OpenSSH installed on your iPhone (who doesn't want a remotely-accessible, full UNIX terminal in their pocket?), there is a pretty simple solution to this problem that will prevent this breed of infestation from ever reaching your iPhone.
- Remember, this only affects jailbroken iPhone owners who have installed OpenSSH...
- Begin by installing MobileTerminal via Cydia (alternately, you can login via SSH from Terminal.app or a Cygwin-equipped Windows PC).
- Type "login", you will be asked for a login name which should be "root" then a password which should be "alpine".
- Type "passwd" then tap return, you will be asked to type the new password. Tap return and type the new password again.
In addition to changing the user passwords for your iPhone, another good security measure is to use one of the jailbreak apps like BossPrefs or SBSettings to have a toggle that will disable SSH when not in use. Obviously, having SSH disabled (or not installed) is the best defense against worms of this sort. Got any other iPhone security tips? Let us know in the comments!
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
elasticthreads said 6:13PM on 11-23-2009
I hope the jailbreak developers (iphone-dev,geohot,etc) change their respective jailbreak applications to require the user to change the password.
Reply
jb510 said 6:44PM on 11-23-2009
Huh? That's crazy.
iPhone-Dev, Geohot, etc... have nothing to do with OpenSSH. OpenSSH is an application, one of several that allow your phone to function as a terminal server. It's 100% the fault of the idiots that needlessly install OpenSSH (since few need it) and fail to change the default password... anyone that NEEDED it would be wise enough to change their password.
This is no different than SSH on your Mac/PC.... or the password on your router... or whatever, the problem isn't the jailbreak developers it's the stupid ass users that don't change their default passwords.
macserv said 8:38AM on 11-24-2009
I think it would be great if the makers of Cydia and other package installer apps would make it possible to set that password at package install time. I'm pretty sure a basic alert is possible already.
I agree that anyone installing SSH should be savvy enough to use the `passwd` command afterwards, but people are forgetful, and there is a worm going around. A reminder/helper during install would go a long way to preventing that.
Mentok said 6:41PM on 11-23-2009
Read my take on it: http://tr.im/FCoa
You can't engineer against stupidity. Even if iphone-dev does do this, say, in Pwnage there would be users that would gripe that they forgot their passwords and 'now can't get into their own phones'.
Also, what of the unlock shops and folks who jailbreak for pay? This won't help lusers.
People need to be explicitly DISCOURAGED from jailbreaking if they're not going to learn the pitfalls.
There's a very good reason Apple's garden is walled. And a lot of it has to do with the end users.
Reply
Howie Isaacks said 6:55PM on 11-23-2009
It's real simple... Don't jailbreak your iPhone. That was easy. Wasn't it?
Reply
Drakhul said 3:45PM on 11-24-2009
You would think....
elasticthreads said 6:56PM on 11-23-2009
I guess jb50's comments are well taken. Then OpenSSH should require it, and if cydia's listing of it should explicitly state this as well.
@Mentok, I disagree. The easier it is for a virus/worm/hacker to gain from putting these things out into the world the more likely they are to work at it. The more folks who get affected by this hurts everyone with a jailbroken device and empowers Apple all the more to wall things off.
I agree that the uninformed shouldn't be installing openSSH, but that's just the problem isn't it:
if the developer don't inform them, WHO will?
Reply
Tom Smale said 7:27PM on 11-23-2009
>> It's real simple... Don't jailbreak your iPhone. That was easy. Wasn't it?
Yes. And if you leave it in the box, it will be safer still.
Reply
hiscross said 8:10PM on 11-23-2009
Everyone who has a jail broken iPhone that runs OpeSSH with the passwd of Alpine raise your hands. What no one is raising their hand? Why I am shocked!
Reply
Ryan Hamsher said 8:19PM on 11-23-2009
I have seen a lot of comments with this...
Just don't jailbreak. Simple. Easy.
Well how usefull. Such quality input. How much of your life is now forfilled by typing that comment.
Let me just say that there is a percentage of iPhone owners that are stuck in a must unlock situation.
My case for example is I have moved from the UK to Australia. I still want to use the iPhone that I legitimately own. Oh but here is a thought, I simply cant do that for some unknown reason!
Reply
Dan Woods said 8:32PM on 11-23-2009
You can unlock your iPhone from your network without Jailbreaking it.
Most networks will unlock your out-of-contract iPhone for free, some will unlock it if you are traveling abroad and ask nicely.
If they want to be stubborn and keep your phone locked to their network, you can use Unlocking software other than Jailbreaking software to unlock it, and maintain the integrity of the iPhoneOS Security infrastructure.
mark said 9:21PM on 11-23-2009
An even better reply would have been you can unlock your phone without installing open ssh.
Ryan Hamsher said 10:01PM on 11-23-2009
Well I never could find any info on how to unlock 3.1.2 without jailbreaking?
Also O2 the UKs iPhone carrier currently does not unlock out of contract iPhones but does have plans to when other networks start supporting the iPhone!
And the other problem is I am already in Australia so unless unlocking is done remotely this is not an option.
keverz said 12:54PM on 11-27-2009
Most providers won't break the contract for less than $200. most of them won't unlock it. 3.1.2 cannot be unlocked without jailbreak. jailbreak is NOT a bad thing. it's just that most people are afraid to do it because they think they are going to break their phones by doing so. jailbreak is necessary for those of us in countries that do not have iPhone providers.
That said, if you need open ssh, which is quite useless unless you want to get your videos shot from cycorder (2G, 3G NOT [s]) then please, change your default password.
nikster said 8:42PM on 11-23-2009
I have an app called Toggle SSH. Free on Cydia, just turn ssh off.
Reply
mark said 9:22PM on 11-23-2009
However when your SSH is on you are vulnerable. This doesn't solve the root of the problem, no pun intended.
nikster said 10:53PM on 11-23-2009
Granted, but why would I ever turn SSH on? I keep it off.
tuaw.20.eitan said 10:10PM on 11-23-2009
"The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password"
Huh? Hole in what theory?
Reply
kentawilson said 10:33PM on 11-23-2009
You can unlock the phone without installing cydia. Just use blackra1n. Install snow and uninstall blackra1n. I did it. The only problem I've run into is not being able to use Youtube.
Reply
Aaron said 11:35PM on 11-23-2009
Odd. I thought the reason that viruses where not written for the Mac where because of "security through obscurity". I never realized, but there must be more jail broken iPhones then Mac computers, to make writing a virus worth while.
Reply