The web went aflame today with headlines like “First iPhone worm discovered”, and many other variants. Most of those headlines, however, left out a very important little fact which diminishes the impact of the news considerably: it only affects jailbroken iPhones with SSH installed, and with default root passwords.
That’s quite a set of conditions you got there. Not only do you need to jailbreak your iPhone, but you also need to install SSH, and to top it all off, leave the root password as-is. I don’t know about you, but if you’re that lax about security, then it’s hard to feel sorry for you.
The worm in question was spotted in Australia, and was mostly benevolent, as it served more as a warning to insecure jailbroken iPhones than anything else. It changed the wallpaper on your iPhone to a picture of Rick Astley, with the text “rikee is never going to give you up”.
Once infected, your iPhone will look for other jailbroken iPhones with SSH installed and the default root password, after which it will proceed to infect those phones too. It’s a classic worm, but completely harmless. In fact, I’d argue it’s a positive thing, as it will nudge owners of jailbroken iPhones to properly secure their devices.
This same SSH/default password “exploit” has been used before; I know of at least two occasions where it was used in The Netherlands. Last week, for instance, a cracker scanned the IP range of T-Mobile in The Netherlands, and disabled some dozens of jailbroken iPhones. Initially, he demanded money for fixing them, but later on he posted a fix for free on the ‘net.
What you’ll see happening now is two things. First, people will claim this is a flaw in the iPhone and that Apple needs to do something about it. Nonsense of course, as this is not Apple’s fault. Two, you’ll see Apple fans claiming that jailbreaking is inherently dangerous, and that Apple is right in demanding that it remains illegal. This is also nonsense, as it’s not jailbreaking that’s dangerous – leaving your device with the default root password is. This is true of any computer.
All in all, this is pretty much a storm in a teacup. Own an iPhone? Nothing to worry about. Own a jailbroken iPhone? Just be sure to change the root password. That’s all.
That is just awesome. Better that security issues with phones using proper OSes get attention like this than by sensitive personal information getting taken.
Treat its security like any other computer on a network.
Edited 2009-11-10 00:05 UTC
I heard about this “iPhone virus” on BBC radio today, and I was wondering to myself “is this about the SSH default password vulnerability?” Surely, for the mainstream press to be touting this as an iPhone virus is sensationalism of the first order.
Though strictly speaking it is a virus, it’s a benign virus that exploits an extremely obvious vulnerability that’s open in a very small proportion of iPhone users.
That being said, I did go ahead and change my root password in my jailbroken iPhone today. I don’t want to get Rickrolled.
Normally you’d expect SSH would enhance security.
So, it affects people who are smart enough to know how to jailbreak an iPhone. And who are stupid enough to leave a default password in place?
You don’t have to be smart to Jailbreak an iPhone – 30 bucks and it’s done – and you have to be incredibly dumb to install SSH and not change the root password. Those who’ve been affected need to go give themselves an uppercut.
As for the sensationalism, do we really expect anything else from the media? The same lot that tell us that everyone who dresses or looks or “acts” differently to “us” (whatever that means) is a terrorist, and we should lock our kids away in the house in front of the TV eating McDonalds because if we let them play outside they’ll get sunburn and skin cancer then the perverts that are waiting behind every tree around the neighbourhood will snatch them away. If it wasn’t for sensationalism they would be out of jobs – it’s ALL they do…
bull,
SSH utility for iPhone does not have command prompt to allow password change. One needs to install additional app or log in from computer.. which might be too late already.
First run of ssh in iPhone is useless if it does not allow to change password.
But what one would expect from the device that is not designed with security in the mind?
Maybe Apple should start paying more attention to security instead of worrying if application containing word iPhone (e.g. iPhone reference manual) will be admitted to Apple store or not.
Edited 2009-11-10 14:56 UTC
What you have said is just profoundly silly. The SSH utility is a binary compiled and added by the jailbreakers. It’s not something that comes with the iPhone nor shipped by Apple. The lack of an automatic way to change your password by default is completely the fault of the jailbreakers, not Apple.
Apple didn’t provide any means for remote access so they certainly can’t be faulted for not having “security in mind” if you hack in your own remote access tools and don’t change the password.
That would be like faulting Honda for installing poor fire retardant materials in their cars after strapping your own homemade jet engine on the back. If the car explodes in a ball of flame due to your jet engine, it wouldn’t be fair to then say that Honda doesn’t design cars with safety in mind.
nope:
symbian and blackberry require signed apps and don’t give root access to most of the apps in contrast to iPhone.
If application does not allow password change, then root access should not be allowed.
As I said this is insecure device. Has nothing to do with crappy car comparison. Bad design is bad design.
Really? What about hacked/jailbroken Symbian and Blackberry devices?
A non-jailbroken iPhone sandboxes apps and definitely does not give root access to them. It also code-signs all installed apps.
Of course you probably realise this, you’re just being a moron.
[quote]A non-jailbroken iPhone sandboxes apps and definitely does not give root access to them. It also code-signs all installed apps.[/quote]
you must be dreaming assuming nice theory with sad reality (number of security issues with iPhone is qute amazing)
what would be a point to jailbreak blackberry?
find similar security problems with blackberry (and tons more that are marketing signature of iPhone e.g. clear text passwords to encrypt device and so on)
iPhone is nice but jailbroken or not this is not secure device
and this is more recent nasty story:
http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-…
No I’m not “dreaming assuming nice theory with sad reality” (whatever that means). I’m setting you straight on your claim that the iPhone does not codesign or sandbox its apps. I said nothing about any other possible iPhone security issues.
Oh I don’t know. To run SSH on it maybe, like was done on the iPhone in the subject of this article?
No you are not setting anything straight. It is quite easy to escape iPhone sandboxing. SMS runs on iPhone not sandboxed. Maybe check Miller’s reports about “security” of sandboxed iPhone (crashing whole OS). The only real thing Apple “sandboxing” does is keep users from not buying apps from Apple store and extract maximum revenue.
What is funny is that Apple wants to patent crippling (ehmm sandboxing) cellphone devices (http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d…)
iPhone is not safe device, never was. If Apple was smart they will open iPhone apps to keep users happy and eliminate jailbreak problems.
I don’t need jailbroke blackberry to run (safely) SSH.
Maybe you should read the follow-ups to Miller’s reports. That vulnerability was fixed back in July: http://support.apple.com/kb/HT3754.
Ahh, you’re an anti-Apple zealot. You failed to keep to the point and started off on a rant. I guess I should stop feeding the troll now.
That’s nice for you. Enjoy.
“symbian and blackberry require signed apps”
also
http://developer.android.com/guide/publishing/app-signing.html
“Maybe Apple should start paying more attention to security instead of worrying if application containing word iPhone (e.g. iPhone reference manual) will be admitted to Apple store or not.”
It’s actually creating the problem. More and more iphone users (not hacker geek types) want to jailbreak just so they can get all the apps that Apple blocks.
Reminds me of my old iphone. I left the root password as alpine when I installed SSH. People at work had much delight rebooting my phone over the office wifi
Edited 2009-11-10 06:35 UTC
Anyone [with half a brain] who has jailbroken their iphone knew this would happen sooner or later. And its not exactly hard to protect yourself.
1. Don’t install SSH
2. If you do, switch it off when you don’t need it!
3. change the frekin password..
Nice, balanced, level-headed. No sensationalism. Nice work!!
I’d like to add my voice to memson’s sentiments.
Thanks Thom
who came up with the fundamentally insecure password ‘alpine’?