digg

Facebook Connect Join Digg About

Hackers pillage jailbroken iPhones

computerworld.com Hackers are plundering personal data from jailbroken iPhones using the tactic demonstrated last week by an Australian programmer's self-described

Who dugg this? Made popular 16 days ago

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

77 Comments

show profanity settings
expand all
  • riz94107, on 11/11/2009, -2/+28I'm not an iPhone owner - but I have to say the most flabbergasting part of the article was where it states that the worm propagates via ssh, because the default jailbreak install apparently enables sshd WITH A DEFAULT PASSWORD. Enabling sshd at ALL for the ordinary iphoner is stupid - but a default password? It's like saying "please pwn me".
  • jaytek13, on 11/12/2009, -1/+15My iPhone is jailbroken, and this really does give me pause, but I find the suggestion that Apple should do more to make jailbroken iPhones more secure to be a bit ridiculous. Jailbreaking is a risk that we take, and Apple really doesn't bear any responsibility here. It's like trying to mod a 360 and ending up with a brick... does that mean Microsoft should do more to ensure the mod doesn't break the system? Of course not.

    I also find the comment by Miller to be a bit amusing... "Yeah, well, jailbreaking makes the iPhone inherently less secure, but that doesn't mean the iPhone is perfect! Remember this one time where there was this one security issue? Yeah, see!"

    Anyways, jailbreaking is a choice by the user, and I would just hope that all users who do make this choice do understand and are aware that they are "breaking" the security if the iPhone and opening themselves up for these things to happen.
  • earthtones, on 11/11/2009, -3/+16I'm still not sold on "jailbroken" as a word.
  • spookyttws, on 11/12/2009, -1/+14And it's so hard to simply turn off SSH when your not using it or simply change the password?! It's dumb to call this a hack, it would be like setting up an FTP server with no password and wondering how people were able to access your data.
  • macslut, on 11/12/2009, -0/+12Jailbreaking doesn't give it a default password. Apple gives all iPhones a root password of alpine and a username of mobile with a password of dottie.

    Jailbreaking doesn't enable SSH. You have to first go to Cydia, then ignore the change passwords warning, download and install SSH. You then need to enable SSH without changing the passwords.

    To be vulnerable, you then in addition to the above, need to be on a wifi connection with the iPhone active (not in sleep state), and the hacker has to be on the same connection. It's a risk, but not one that's inherent with jailbreaking.

    The only way to change the default passwords for either root or mobile is to jailbreak your iPhone. This gives you an additional layer of security since with the default passwords, someone could access your data if they have physical access to your iPhone (even if it has a lockscreen pin).
  • macslut, on 11/12/2009, -2/+13Except for the fact that your iPhone is more secure if you do jailbreak it. I know the root password to your iPhone is alpine and the mobile password is dottie. If I get access to your iPhone before you change your passwords, I can get access to your data (even if it's lockscreen pin protected). You can only change your root and mobile passwords if you jailbreak.

    In terms of the risks of jailbreaking, there are none. The risk is in installing SSH, while ignoring the warning to change the passwords, and then enabling SSH without changing the passwords, and then being on a wifi connection while the iPhone is active (not in sleep state) and then having a hacker on the same wifi connection. Sure, it's a risk, but it's not inherent to jailbreaking.
  • riz94107, on 11/11/2009, -0/+11how about jailbreakeded?
  • rageguy, on 11/12/2009, -0/+10I hope you're a troll JohnnySoftware

    1) Jail breaking does not install SSH.
    2) Jail breaking cannot brick your phone (you can always recover)
    3) Installing an Apple update will not damage your phone, it will simply remove your jail break and upgrade you to the latest firmware.

    A default jailbreak setup is safe from this "attack". These people chose to install SSH and leave the password on the phone as default.

    Unfortunately any system not matter how secure is vulnerable to stupid users.
  • angel.wardriver, on 11/11/2009, -1/+11Dugg for pillaging and plundering :-) Hackers or vikings?
  • MAGZine, on 11/12/2009, -0/+10No? You have to install SSH as a separate app once you jailbreak your iPhone.

    As far as I know, the people behind the jailbreaking of iPhones tell you don't not update, but don't update until they can get around Apple's latest anti-customization practices.

    Most of the time, if the update/upgrade/install process goes wrong, you can recover your phone without it bricking. That is, 99% of the time.
  • Hecubus452, on 11/12/2009, -1/+10"The ikee worm was released a week ago by Ashley Towns, a 21-year-old unemployed Australian programmer,"

    When I first read this I thought "wow, a woman actually created a worm, there's no way that's true, they're got better things to do than be such an *****."

    Sure enough, I was right.
  • czarcasm, on 11/11/2009, -1/+9correctionalfacilityescapeded
  • orbz, on 11/12/2009, -0/+8I have the SSH toggle installed for SBSettings... a swipe and a click to disable (or enable) it from any screen. Anyone who is going to the extent of comprehending and using SSH should know better than to leave it open 24/7. This hole is exactly the same size as the user, no more, no less. I could enable the exact same "hole" on my MacBook.
  • Rogor, on 11/12/2009, -0/+7SMS banking authentication should be immediately stopped. Its obvious as mobile operating systems have approached the complexity of normal computers they will become more and more vulnerable as computers have.
  • macslut, on 11/12/2009, -0/+7Yes, after jailbreaking, you'd need to manually install SSH while overlooking the warning to change the default passwords for root and mobile. You'll also need to enable SSH without having changed the passwords and be on a wifi network that the hacker has access to. You'd be safe at home unless you for some really weird reason forwarded the port on your router to you iPhone (and also didn't change the passwords).

    However, if on the same Wifi network, all someone has to do is scan and find your IP, then hope it's an iPhone, hope that it's jailbroken, hope that it has SSH installed and enabled and hope that you haven't changed the default passwords...then there's pwnage of your iPhone (as long as you keep it active and don't let it sleep).

    That's a lot of qualifications, but it's doable if you go somewhere with free wifi for example.

    To be clear though, if you want the absolute maximum in security with your iPhone, you would jailbreak it and then change the default root and mobile passwords. This makes your iPhone more secure than if you hadn't ever jailbroken it, not because of SSH, but rather with physical access. You want the default passwords changed, and jailbreaking is the only way to do it.
  • TheMadCow, on 11/12/2009, -0/+7This article is great. It's going to scare off all the morons who have been jailbreaking their phones using very easy to use tools and then whining up a bitchfest when they "accidentally" upgrade their baseband or firmware. Anyone who can find their ass from a hole in the ground already knew to change their password.
     
    Plundering, indeed.
  • macslut, on 11/12/2009, -0/+7In other news...

    Changing the password to your computer to "password" or leaving it blank, and then installing/enabling SSH or any other remote access software that uses that password could potentially open your computer to an attack.
  • Lane, on 11/12/2009, -0/+7FFS you can disable SSH with one button press once your iphone/touch is jail broken.
  • macslut, on 11/12/2009, -0/+6Whoever said that was wrong. It doesn't install SSH by default when jailbreaking. You can install SSH through Cydia, but before you do, you are warned to change the passwords.
  • blindmelon1, on 11/12/2009, -0/+6Liberated :)
  • solarwind24, on 11/12/2009, -0/+5The newest jailbreaks don't enable sshd by default. You actually have to download it and install it.
  • MattBlackCat, on 11/12/2009, -1/+6Yes Steve.
  • cuervoman914, on 11/12/2009, -1/+6i believe macslut owned your ass. also, dugg down for being too much a mac lover that you don't dare do what you want with apple's machine, even though it's yours since you bought it.
  • Gareth321, on 11/12/2009, -2/+6Agreed. This is the worst thing the jailbreaking community could have done for credibility. They were gaining some serious momentum, and I think everyone had hopes Apple would finally begin to open up some more aspects of the iPhone OS to development. Certain things like proper multitasking are desperately needed.
  • JohnnySoftware, on 11/12/2009, -1/+5Yeah, it does. Windows Mobile has been pwned by hackers per year. Despite it's piddly 4% market share. I guess they were bored during their coffee break. Or wanted to blow off steam after crafting Windows viruses the Windows AV industry doesn't catch.

    SEPT. 2004: Details Emerge on the First Windows Mobile Virus
    http://www.informit.com/articles/article.aspx?p=33 ...

    MARCH 2006: PC Windows - Windows Mobile Cross-infecting Virus (gotta love autorun)
    http://www.informit.com/articles/article.aspx?p=45 ...

    MARCH 2008: Windows Mobile Virus on the Loose
    http://www.downloadsquad.com/2008/02/27/windows-mo ...

    In other words, "Windows Mobile viruses celebrated their 5th birthday 2 months ago!!" Don't feel bad you did not know the viruses had been infecting Windows Mobile for so long. Just think how your phone must have felt when it found out. (0_0)
  • MAGZine, on 11/12/2009, -0/+4Please source all of your claims, particularly the one about 4% marketshare, and the one regarding Windows Mobile viruses.

    And Removable media is my friend.
  • jamesmcginnis, on 11/12/2009, -0/+4Well, I'll say thank you for the explanation
    THANK YOU!
  • FlyingSquidwolf, on 11/12/2009, -0/+3jailbreakeded'd
  • mochaman, on 11/12/2009, -1/+4SSH and change your root password if don't know then don't bother jailbreaking your iphone lazy ass people.
  • nesstheking1, on 11/12/2009, -0/+3just turned mine off :)
  • quaxon, on 11/12/2009, -0/+3For someone to do this wouldnt you have to have not only openSSH installed, but also be on their (or someone else's) wifi network? And even then how ould they find your phones IP address?
  • minoss, on 11/12/2009, -1/+4This was also obvious the moment I jailbroke my iphone. Surprised it took this long to become and issue.
  • ScottRTL, on 11/12/2009, -1/+4That's exactly why I changed the two SSH passwords on my iPhone, and I have been screwing with my friends via SSH since iPhone 2G...
  • jjustin01, on 11/12/2009, -0/+2Are you sitting on Steve Jobs' lap this morning, or is your head buried in his lap?

    Based on your comment history, I'd say you are an Apple employee.
  • MAGZine, on 11/12/2009, -0/+2It's not ignorance, it's smacktalk.
  • MAGZine, on 11/12/2009, -0/+2THANK YOU.

    At least *someone* has some humor in them.
  • raynar, on 11/12/2009, -0/+2Maybe you should do a little research before you speak out of turn. Jailbreaking does NOT enable ssh. You have to go and download the OpenSSH package from Cydia first, and so by doing that, its assumed you're smart enough to change the password.
  • FlyingSquidwolf, on 11/12/2009, -0/+2jailbroken'd?
  • macslut, on 11/12/2009, -1/+3Marketshare!

    /s
  • Ac1115, on 11/12/2009, -0/+2SBsettings is amazing, one of the reasons I jailbroke my iphone. (that and tethering on 3.1.2)
  • mrBitch, on 11/12/2009, -0/+2@ spookyttws, RE: " .. It's dumb to call this a hack, it would be like setting up an FTP server with no password and wondering how people were able to access your data."


    Very good point, and it's EXACTLY like setting up an FTP server with no password ...
  • evergrim, on 11/12/2009, -0/+2There's a bit more to the story about Ashley Towns.

    http://encyclopediadramatica.com/Ashley_Towns

    Anonymous are pissed off at him.
  • mrBitch, on 11/12/2009, -0/+2RE: http://encyclopediadramatica.com/Ashley_Towns
    Short summary :
    " .. Ashley Towns (AKA Ikee) is ... claiming to have written the first virus for the Apple iPhone[1] that is targeting jailbroken iPhones only.

    His virus coincidentally is identical to the Dutch worm, the source of which was leaked a week prior to his claim (see: attention whore). He merely stole the Dutch version of code released on all the usual networks and changed the payload to load a Rick Astley wallpaper. "
  • czarcasm, on 11/12/2009, -0/+2escapee
  • redwallhp, on 11/12/2009, -0/+2@macslut: No. A non-tampered iPhone doesn't have an SSH server installed, and the root account is disabled. This exploit is only possible if you jailbreak the device. Get your facts straight before joining the troll-fest.
  • rageguy, on 11/12/2009, -0/+1@JohnnySoftware
    Hahahaha! I really hope you're a troll, if you are then I salute you.

    Do you honestly think that the App store approval process and Apples propriety method of syncing files makes the iPhone platform secure?

    The fact Apple does not use the mass storage driver does not make it any less vulnerable. There are multiple unpatched vulnerabilities that would allow a trojan on your computer to free access inject code onto the phone via USB.

    Worse yet, since the App store approval process is so secure as to not allow utilities like process monitors or file managers, it is near on impossible to tell if a phone has had any modifications done to it.

    Even worse yet, since the file system is hidden from the computers view, an external antivirus program could never scan the phones file system for the presence of virus.
    As iPhone viruses become more malicious and take advantage of mechanisms other than a default password, you are going to be entirely at Apples mercy to fix the problem.
  • ryanonfire, on 11/12/2009, -1/+2Opensource?
  • seraph1982, on 11/12/2009, -0/+1With a name like JohnnySoftware, your post only becomes even more ironically delicious. Get in touch with the content you're posting about before you post again :)
  • mrBitch, on 11/12/2009, -0/+1Zing!
  • Fetching more discussions...
    Show 51 - 79 of 79 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.