×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First Malicious iPhone Worm In the Wild

timothy posted more than 4 years ago | from the because-some-jerks-are-clever dept.

Security 135

An anonymous reader writes "After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

135 comments

As the saying goes. (0)

Anonymous Coward | more than 4 years ago | (#30187530)

PEBKAC.

Smoking (0)

Anonymous Coward | more than 4 years ago | (#30187688)

I think this is really the affect of smoking and using the iphone at the same time. Apple should have these people arrested. And sent to Alcatraz, which Steve Jobs recently bought, btw.

Re:As the saying goes. (1)

lorenlal (164133) | more than 4 years ago | (#30189862)

Well... yea. Although I might amend it to IEBKAC - Ignorance Exists Between Keyboard and Chair.

I mean, they knew enough to jailbreak their iPhone, and installed SSH, and didn't set a proper root password... The best part is that they even got a wake up call in the form of the Astley worm... Speaking of which... I consider seeing Rick as an iPhone background fairly malicious, so I'll correct the summary.

(j/k Rick, thank you for having a good sense of humor about all this. :D)

In other news (0)

Anonymous Coward | more than 4 years ago | (#30187562)

Morons who don't know what the fuck they're doing still continue doing it.

News at 11.

Re:In other news (1)

BrokenHalo (565198) | more than 4 years ago | (#30191118)

Sounds like the same exploit as the rickroll worm. But anyone running SSH with a default password deserves everything he'll get.

hmmm. passwd (4, Insightful)

epilido (959870) | more than 4 years ago | (#30187568)

how about changing the default password............

Why is there a default password at all? (1)

Colin Smith (2679) | more than 4 years ago | (#30187932)

Jeez. People knew that was a bad idea decades ago.

 

Re:Why is there a default password at all? (1)

hansraj (458504) | more than 4 years ago | (#30188040)

Yeah, and I don't get why the executable used for jail-breaking an iPhone couldn't either

a) Prompt the user to choose a root password, or
b) Generate a (random) root password for each install.

I mean seriously, what is the idea behind having a default root password?

Re:Why is there a default password at all? (2, Insightful)

marcansoft (727665) | more than 4 years ago | (#30188690)

The default install doesn't come with OpenSSH anyway. If you deliberately install OpenSSH (to access your stuff using WiFi, which is why most people do) and fail to change your password (which should be blatantly obvious, since it's what you'll be using to access the phone over WiFi), well, shame on you. If you can't deduce that anyone can access your phone remotely just as well as you can, you shouldn't be doing these things.

Really, a good part of the blame is probably on tutorials and guides out there that tell you to install OpenSSH and don't mention changing your password (or don't mention it in bold/red enough text). Smart people change their password, and dumb people don't go messing with a weirdly-named package that isn't listed under the "user-friendly GUI stuff" categories. It takes a poorly-written tutorial to bridge the gap.

FWIW, the default passwords are already there on Apple's OS. Jailbreaking by itself doesn't make the phone any less secure because it only lets you install unsigned apps. It's installing OpenSSH that suddenly turns the default passwords into a huge security hole. If OpenSSH were hypothetically available on the App store, the issue would still be present.

Re:Why is there a default password at all? (1)

peragrin (659227) | more than 4 years ago | (#30189186)

Of course that is one of the many reasons why apple is so anal about what apps can be do and which api's they can use.

if i put on the tinfoil I would bet that apple themselves engineered the virus to spread through only jail broken phones to prove just how dangerous jail breaking is.

Re:Why is there a default password at all? (1)

adolf (21054) | more than 4 years ago | (#30189498)

Danger? When I installed OpenSSH on via Cydia, I got a big fat warning about being sure to change the password (the default is "alpine".)

I, of course, did so immediately. As I would've done anyway, even if Cydia didn't prompt me to do so.

The problem here, at the root of it, is this: Apple ships the device with a default password, but no means of remote access, so that's OK. User comes by and plugs in a remote-access application (OpenSSH), fails to heed the warnings about enabling SSH without changing the password, and gets pwned.

I'd like to assume that most people who are interested in SSH are also clued enough to understand the threat therein. But you know what they say about assumptions...

Re:hmmm. passwd (1)

Sir_Lewk (967686) | more than 4 years ago | (#30188646)

The purpose of suggesting that anyone with the default password reflash their iphones is that they might already be infected, making changing the password at this point pointless.

Of course changing the default password is something that should always be done.

Excessive? (5, Insightful)

ickleberry (864871) | more than 4 years ago | (#30187574)

Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present.

That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses

Re:Excessive? (3, Insightful)

maccodemonkey (1438585) | more than 4 years ago | (#30187700)

Unless you are already infected and you don't know it, then changing the password does nothing.

Re:Excessive? (1)

CharlyFoxtrot (1607527) | more than 4 years ago | (#30188772)

If you're jailbreaking next time you upgrade the issue will solve itself since you flash a new image on the phone. But my guess is these are clueless people who had their phone unlocked and jailbroken by a friend back in the (1.3) days when openssh was automatically installed when jailbreaking and the included passwd utility was broken so people couldn't change the password.

Re:Excessive? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30187870)

Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure that their phone is bricked and completely unusable

Fixed the article

Re:Excessive? (3, Insightful)

TJamieson (218336) | more than 4 years ago | (#30188004)

Isn't it also interesting that the fix is to, basically, un-jailbreak as soon as possible. If I were more of a conspiracy theorist, I would think Apple might have an interest in showing just how "bad" jailbreaking can be. Apple: See, if you jailbreak, you'll get a special phone worm!

Re:Excessive? (3, Funny)

Anonymous Coward | more than 4 years ago | (#30188280)

WORMS? IN MY APPLE?!?!?!?

actually, that seems somehow fitting...

Re:Excessive? (1)

marcansoft (727665) | more than 4 years ago | (#30188722)

Wrong. The fix is to, basically, reinstall the OS. Jailbroken or not. Jailbreak != OpenSSH preinstalled. People claiming this hole is somehow the result of jailbreaks are either clueless or anti-jailbreak. Jailbreaking is the enabler, but the real problem are clueless users who install (or are instructed to install) OpenSSH and do not change the default passwords.

Re:Excessive? (1)

TJamieson (218336) | more than 4 years ago | (#30189430)

Exactly - the clueless user is the target here. The technical users already know why they should jailbreak, and how to do it safely. Apple isn't worried about them because that crowd will always exist. However, they could leverage these worms to urge non-techies away from even thinking about jailbreaking. For instance, in the eyes of the average user, they could make jailbreaking synonymous with worms. Everybody here on /. knows jailbreak != worms, but what about everyone who reads Google News?

Re:Excessive? (1)

macslut (724441) | more than 4 years ago | (#30188756)

Actually the steps are: 1) Admit that you're an idiot for enabling SSH and not changing the default password. 2) Flash the firmware. 3) Re-Jailbreak. 4) Either don't enable SSH or do change the default password. 5) Remember that you're an idiot.

Unless... (1)

dreamchaser (49529) | more than 4 years ago | (#30188056)

That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses

Unless of course the author of a particular jailbreak utility WANTS to compromise the target units.

Re:Excessive? (1)

pizzach (1011925) | more than 4 years ago | (#30188174)

That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses

Honestly, if the people reading it don't realize it is obsessive, they probably shouldn't have jailbroke their phones in the first place. When you hack something on a public controlled network, you best not be mindless. This message hits exactly the people who should return to the standard firmware and nor more.

Re:Excessive? (1)

maccodemonkey (1438585) | more than 4 years ago | (#30188344)

The problem is a lot of mainstream news sites have reported all the cool apps you can get by jailbreaking, and a lot of people have found jailbreaking as one way to pirate apps. Thus the clueless public was introduced to jailbreaking, and of course they install whatever random crap they find like kids in a candy store, such as an SSH server.

Re:Excessive? (1)

Sir_Lewk (967686) | more than 4 years ago | (#30188768)

No. If people don't realize that reflashing their iphones is the proper thing to do at this point then they are the ones that should not be jailbreaking their iphones. The purpose of the reflash is to ensure that the phone will no longer be infected, which it may or may not have been before hand. Changing the password after the fact will not magically un-infect them.

Honestly though, if people didn't change the default password to begin with then they really should not be jailbreaking their iphones.

Oh, and the word you are looking for is "excessive", not "obsessive". Your parent (whom you quoted) got it right.

Re:Excessive? (3, Insightful)

ickleberry (864871) | more than 4 years ago | (#30188834)

No reason ordinary folk shouldn't be allowed to enjoy the benefits of an un-crippled, unrestricted phone. Jailbreaking utilities really should prompt the user for a new root password before they can continue, so there would be no point in even writing these worms.
,

Re:Excessive? (2, Interesting)

pizzach (1011925) | more than 4 years ago | (#30189226)

No reason ordinary folk shouldn't be allowed to enjoy the benefits of an un-crippled, unrestricted phone.

It's these same people who don't care if their Windows machine is full of viruses from opening their firewall since it was "inconvenient." With these people, a botnet of iPhones is just a matter of time.

Re:Excessive? (1)

mysidia (191772) | more than 4 years ago | (#30188460)

If you don't bother reading the documentation and such, to ensure you use the "passwd" command as directed, then you have no business jailbreaking or using a jailbroken phone.

Because you're going to screw up in some other way too. (Default password isn't the only mistake you can make)

It gives Apple more ammo to use against jailbreakers, even justification for bricking them -- to protect Apple's good name against being tarnished by reports of "iPhone-based botnets".

Part of the sales pitch of Apple software is that there's no risk of Malware or Worms anything like there is for Windows users.

Microsoft would want you think there's nothing about Apple's OS that is more secure -- there's just no Malware problem, because hardly anybody uses their OS, and hackers aren't interested in it.

By allowing jailbroken iPhones to continue to function, and worms to arise targetting jailbroken phones, more credibility is lent to the Anti-OSX / Anti-UNIX security argument (the position that UNIX / OS X / Linux/ etc, are no more secure than Windows in any way, or that Windows is just as more secure).

In other news, idiot users get hacked (3, Informative)

Azureflare (645778) | more than 4 years ago | (#30187608)

Just to clarify:

Wederom zijn het alleen gebruikers van een gejailbreakte iPhone of iPod Touch die risico lopen.

Translation: Again are the only users of an iPhone or iPod Touch gejailbreakte at risk.

In summary, if you jailbreak your phone, install apps to make your phone a server, and don't take steps to secure it, you are an idiot and deserve whatever happens.

Re:In other news, idiot users get hacked (1)

Dahamma (304068) | more than 4 years ago | (#30190634)

Well... this would be "informative" if he actually fixed the translation to be readable, ie "As usual, only the users of a jailbroken iPhone or iPod touch are at risk." If the mis-translation was actually interesting, you could mod it funny, I guess...

Now to be fair, I do agree 100% with the conclusion and would gladly mod "insightful" - calling something a "worm" when the attack vector is "tries default password on idiotic 'secure shell' software that even allows one" is a real stretch. IMO this is more a "works as designed" - install a shell that anyone can log into, and anyone will...

ROFL (-1, Troll)

Idiomatick (976696) | more than 4 years ago | (#30187614)

Open SSH port with default password ... as a default for the phone. That's not even a virus that's like a white guy wandering downtown with a big armful of money telling everyone that niggers suck. Virus implies it slipped through security....

Re:ROFL (3, Insightful)

nurb432 (527695) | more than 4 years ago | (#30187642)

Odd, the story called it a WORM.. which it is.

Re:ROFL (2, Insightful)

ourcraft (874165) | more than 4 years ago | (#30189572)

Booth stopped rotting a long time ago. As such he no longer stinks. Not stinking is hardly enough to be called a patriot. I can think of nothing else to recommend him.

Re:ROFL (1)

mysidia (191772) | more than 4 years ago | (#30188504)

It's like the guy who wants to start a bank, who leaves the doors to the building in the default position (unlocked) always, and leaves the money vault's combination, set to the default "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16", which is printed on a sticker at the top of the lock he didn't bother to remove "Default combination: ..

Why a default password? (4, Insightful)

harmonise (1484057) | more than 4 years ago | (#30187632)

why is SSH being installed with a default password left in place? Talk about asking for trouble.

Re:Why a default password? (2, Informative)

Suzuran (163234) | more than 4 years ago | (#30188596)

Jailbreaking DOES NOT install ssh by default. You have to install openssh yourself after jailbreaking.

Re:Why a default password? (0)

Anonymous Coward | more than 4 years ago | (#30188634)

They got exactly what they wanted -- an open phone.

Oh, Dutch... (2, Interesting)

muncadunc (1679192) | more than 4 years ago | (#30187666)

gejailbreakte
I love it.

So the only phones at risk are the jailbroken (jailbreaked?) ones?
You'd think the thing to do would be to incorporate a password-changing tool into the jailbreaking tools somehow, so users have to select something other than the default one.

Re:Oh, Dutch... (1)

theArtificial (613980) | more than 4 years ago | (#30188324)

Yes, only the jailbroken ones are affected. You're supporting a moot point. The people who are affected aren't following the instructions. You are told to change your password.

If you like loan words such as 'gejailbreakte' there is German 'geownt' for owned.

Re:Oh, Dutch... (1)

muncadunc (1679192) | more than 4 years ago | (#30189486)

I'm thinking more something like, say, if you install Cydia then you have to run the password utility before it will allow you to download packages.

Re:Oh, Dutch... (2, Insightful)

dingen (958134) | more than 4 years ago | (#30188506)

gejailbreakte
I love it.

Sadly, the language is full of these sort of things nowadays... give it another decade and Dutch will be fully understandable for people who speak English.

Not the first (1)

93 Escort Wagon (326346) | more than 4 years ago | (#30187682)

I have to take exception to the claim this is the FIRST malicious iPhone worm. After all, ikee inflicted Rick Astley on people - that probably gave folks nightmares.

Wait a second? (3, Interesting)

cluge (114877) | more than 4 years ago | (#30187780)

>Owners of a jailbroken iPhone with a default root password are advised to flash
>to the latest Apple firmware in order to ensure no malware is present."

If they flash to the latest apple firmware, will they be able to

  • 1. Use the network of their choice
  • 2. Run non apple allowed apps (skype)
  • 3. Play their music without DRM

Most importantly - will they be able to jailbreak the device after the update?

I see a future where Apple, the RIAA, and others might wish to write worms to help prevent people from hacking their devices or brick devices that have been "hacked".

Re:Wait a second? (1)

maxume (22995) | more than 4 years ago | (#30187850)

Yeah, so don't do business with companies that embrace the control approach, problem solved.

Re:Wait a second? (4, Informative)

CrackedButter (646746) | more than 4 years ago | (#30187854)

I can already do number 3 without jailbreaking my phone.

Re:Wait a second? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30188542)

Really? Then come over here, plug your phone into my computer, and let me copy your music off of it.

Oh, what's that, you can't do that, the Apple DRM prevents you from doing that?

Then I guess you, in fact, CAN'T play your music without DRM.

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30188746)

Apparently you've got a different definition of "playing music" than the rest of the sane people in the world. Do you get a lot of weird looks at dinner parties when you shit on the table and call it "having dinner"?

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30188812)

How so? When you copy the music onto the iPhone, Apple automatically DRMs it.

In order to play the music on the iPhone, you must (strangely enough) copy it onto it.

Therefore, in order to play music on the iPhone, you must allow Apple to wrap it in DRM. That wasn't that hard to understand, was it?

Re:Wait a second? (1)

UnknowingFool (672806) | more than 4 years ago | (#30189570)

No because it doesn't. No DRM is added. The iPhone merely prohibits users from using it as copying device directly. You can use it as a portable storage device and indirectly copy. People who jailbreak the phone will find the music files with no DRM in a folder.

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30189788)

So, in other words, people who break the DRM will find the music without DRM.

Wow.

U R GENUS!

Re:Wait a second? (1)

DavidTC (10147) | more than 4 years ago | (#30190234)

Um, you're an idiot.

You can, in fact, copy music files back off the iPhone all you want. There is no 'DRM' on them whatsoever. Or, rather, the iPhone doesn't put DRM on them...they either came with it, or they didn't.

Now, you need a special program to put them on or off, you can't use the standard USB drive interface to do that. There are plenty of such programs, from the iTune program to third party software. (You, of course, can't play them if they started with DRM, but you can copy them off.)

But 'non-standard interface' does not equal DRM.

Re:Wait a second? (1)

UnknowingFool (672806) | more than 4 years ago | (#30189556)

There's a difference between DRM and locking content to the phone. If the music file does not have DRM, the iPhone/iTunes does not add DRM to it. However the phone itself prevents users from using a iPhone to copy music using syncing. Users can copy music by using the iPhone as a portable storage device. Learn the difference.

Re:Wait a second? (1)

DavidTC (10147) | more than 4 years ago | (#30190378)

However the phone itself prevents users from using a iPhone to copy music using syncing.

No it doesn't.

iTunes stops the user from copying music using syncing, I think. (I don't even vaguely pretend to understand how iTunes dysfunctions.)

However, any third party app that can put music on the iPhone has the technological ability to copy it back off.

Whether or not that actually is an option in the program is up to the programmer, but any program that uses Apple's Mobile device support library can use it to get the file off.

I just tested the program I use to put music on my iPhone, foobar 2000 w/foo_dop. It easily copied files back off using the foo_fileopts menu. (foo_fileopts is just a fb2k extension that just lets you move, copy, and delete files within foobar 2000.) Right there, on my desktop, I have an album I just copied off my iPhone using fb2k. It even let me rename them based on tags instead of the silly number plus three char names they had on the iPhone.

That isn't even some special feature. fb2k, and any program with the Apple's Mobile device support library, reads mp3s on the iPod and iPhone like any other file. It can even play them from my iPhone! I suspect foo_fileopts has absolutely no 'support' for the iPhone, it just transparently treated files on it like any other file. 'Okay, here's the file, now I will write it over there.'

Any third party program can easily just copy files, period. (And rename them to something intelligible using the tags, hopefully.) No only can you do it, you can do using Apple's own library, it's not some hack. Just don't use stupid-ass iTunes for it.

Once you get the files off, you can, of course, put them in iTunes if you want.

Of course, if they had DRM on them, they'll still have DRM on them, and won't actually play anywhere, no matter how you copy them around. (The iPhone itself, or even the library, might block copying files off the phone if they have DRM, I have no idea and no way to test it. But that's not what's under discussion here.)

Re:Wait a second? (1)

CrackedButter (646746) | more than 4 years ago | (#30190316)

The original statement by the parent poster, was that I needed to jailbreak my phone in order to play non DRM music. You're saying I'm wrong because I can't come over to your house so you can COPY my music. Do you see a disconnection in the discussion here? Learn to read swim before diving in at the deep end.

Re:Wait a second? (0, Troll)

Imrik (148191) | more than 4 years ago | (#30187890)

I see a future where Apple, the RIAA, and others might wish to write worms to help prevent people from hacking their devices or brick devices that have been "hacked".

Are you entirely certain that future hasn't already arrived?

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30187966)

Yes the current firmware can be jail broken and there fore the rest of your questions are answered:

Update -> Jailbreak -> Change password -> Go about your normal routine.

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30188078)

On #3 - if you'd take your mouth off Linus Torvald's dick long enough to actually look around, you'd notice that iTunes has eliminated DRM on all but a handful of tracks. Furthermore, douchington, every iPod EVER has been able to play MP3s.

Re:Wait a second? (0)

Anonymous Coward | more than 4 years ago | (#30188168)

Re:Wait a second? (1)

jo_ham (604554) | more than 4 years ago | (#30188322)

I can do 2 and 3 right now on my un-jailbroken iPhone.

I'm also quite happy with O2, although now the exclusivity has expired in the UK, I can switch to Orange if I really want.

SIM lock (1)

DrYak (748999) | more than 4 years ago | (#30188416)

1. Use the network of their choice

Good question !
Is the iPhone sold by AT&T SIM-Locked ?
Or is only the iPhone OS testing on which network it is connected ?

That's an important distinction :
- In the former case, the restriction of choice is done by the actual GSM/UTMS chip it self.
Enabling the user to run the software of his/her choice doesn't change a thing. To unlock the phone a special command has to be sent to the chip to allow it to use another SIM card with a different identification number.
- In the later case a jail breaked phone could simply be instructed to bypass the check.

As an exemple, Android "Google"-Phones may use SIM-lock (depending on the plan, etc.)
In which case you can install pretty much everything you want on the phone (specially with Android being open-source, etc.)
But you're still required to use the same SIM card - The GSM chip is linked to specific range of ISMI and will refuse de go only with others.

But I have no idea about iPhones.

Re:SIM lock (1)

marcansoft (727665) | more than 4 years ago | (#30188844)

The former. These days, jailbreaking is a prerequisite to sim-unlock (because you need to access the software to talk dirty to the GSM chipset, a.k.a. baseband). You may or may not be able to unlock the phone once you're jailbroken, especially if you've applied an Apple update that updates the GSM chipset to close holes. For example, AFAIR, the iPhone 3GS can be thoroughly pwned as far as software goes after any update (ROM bootloader bugs), but updating the baseband will lock you out of unlocks until new exploits come out (and no, downgrading is not possible).

Re:Wait a second? (1)

jim_v2000 (818799) | more than 4 years ago | (#30188518)

>I see a future where Apple, the RIAA, and others might wish to write worms

So you're telling me that in the future, Apple could possibly have the strong desire to write a worm for iPhones? You're like the prophet of uncertainty.

Re:Wait a second? (1)

NiceGeek (126629) | more than 4 years ago | (#30189190)

iPhone can play mp3 files no matter where they are purchased from - no DRM, and in fact most of the music sold on the iTunes store is DRM free now.

Skype has been available in the App Store for quite some time

Re:Wait a second? (1)

CliffH (64518) | more than 4 years ago | (#30190432)

To answer your questions:

1. Depending on where you are in the world, yes or no. In NZ, yes, you can use whatever network you wish

2. I didn't know Skype wasn't allowed! I have Skype on my non-jailbroken phone. I picked it up on the App Store for free. To get to your point though, no, you cannot use the other app stores around which is a serious shame

3. I play MP3s all the time. No DRM.
If it is a 3G or a 3GS at firmware 3.1.2 then yes, you can jailbreak pretty damn easily. You can just as easily put it back in jail if you like.

Abstraction (4, Insightful)

gmuslera (3436) | more than 4 years ago | (#30187790)

You just do this and that happens. As in "you run this and your phone gets even more awesome" or "you'll shut down your firewall be able to get movies in your pc" or things like that. But you dont have to understand what are really doing, or all that it implies. People are getting powerful things, and as childs are irresponsible about what could happen because their actions because they don't understand them.

It seem plain clear to us that having a common, default admin passwords in all the jailbroken devices is a very bad policy, but how many times we could had fell in a similar situation were are us who don't understand fully what we are using i.e. in other areas?

To make things worse, we complain a lot about products that takes the "safest" choice for us, not giving enough control/customization to the final (knowing enough?) user, making those impopular and so not taken even by the people that don't know (or don't want to know).

Re:Abstraction (0)

Anonymous Coward | more than 4 years ago | (#30187840)

I see your point, but I think there is a considerable difference between locking a user into a particular control structure and providing an adequate level of technical security.

Re:Abstraction (1)

marcansoft (727665) | more than 4 years ago | (#30188868)

Common, default admin passwords are present on all phones, jailbroken or not (it's just that they're basically useless with Apple's firmware). Jailbreaking it doesn't make you any more vulnerable, that only happens after you (manually) install OpenSSH. If anything, the OpenSSH package should force users to change their passwords (or refuse to work otherwise), but jailbreaking itself has nothing to do with this. People appear to be equating jailbreaking with having OpenSSH installed, which is entirely untrue.

Re:Abstraction (0)

Anonymous Coward | more than 4 years ago | (#30189140)

Or default to only allowing public key login, so the user would have to explicitly enable password login.

Re:Abstraction (1)

sogoodsofarsowhat (662830) | more than 4 years ago | (#30189288)

Well the fact remains....Jailbreak your phone and you run a real risk of being hacked or compromised. You cannot show me a single stock iphone that is vulnerable to ANYTHING like this. That right there proves Apple knows better than the customer, as they have demonstrated time and again on security matters. When i have to run virus protection on my Mac then we can discuss a change to the above rule. But for now Apple is shining brighter and brighter. And the open it all up let us decide crowd just got another set back, as this shows why for the average user its better to trust Apple then yourself in these matters. /yeah i know plenty here can take care of themselves, but realize your a tiny segment of the target market. this means your votes dont count...sorta like voting in the USA.

Whis is behind this? (1)

future assassin (639396) | more than 4 years ago | (#30188076)

Apple? Hmm big corp don't like customer freedom.

Re:Whis is behind this? (1)

jim_v2000 (818799) | more than 4 years ago | (#30188534)

You know what corporations like less than customer freedom? Class action lawsuits and criminal penalties, which is what they'd be facing if it was ever discovered that they wrote a worm for iPhones. All it would take is one whistleblower.

How is this going to get made Apple's fault? (2, Insightful)

BlueBoxSW.com (745855) | more than 4 years ago | (#30188092)

So Apple has been working hard to keep jailbreaking down to a minimum. Now it is discovered that some jailbroken phones with jailbroken apps have security issues.

How is someone going to now turn this around and blame Apple?

HOWTO: Putting the blame on Apple (1)

DrYak (748999) | more than 4 years ago | (#30188464)

How is someone going to now turn this around and blame Apple?

Well it's easy :
It's all Apple's fault. If they did provide absolutely all feature that every single user wanted, even including the weird hacking geeks, people won't be needing to jailbreak their phone in the first place.
Therefore : Let's blame Apple !

Re:HOWTO: Putting the blame on Apple (1)

rrohbeck (944847) | more than 4 years ago | (#30188566)

Actually true. If they hadn't locked down the iPhone, there would be no need for jailbreaking. If the iPhone had an open but secure OS all of this wouldn't happen.
Me, I'm still waiting for news about how open or locked down the various Android implementations are.

More seriously (1)

DrYak (748999) | more than 4 years ago | (#30188640)

...
In a more serious way :
If you look, there's a gradation of phone un-locking.

With iPhone at one range of the spectrum : people have to circumvent Apple's limitation to be able to do what they want with the phone. You can't even do some pretty much basic stuff like tethering - I find this particularly asinine. I've been doing that for years (almost a decade) with my antique Ericsson T39. Since IrDA/Bluetooth and GPRS have been existing, people have been doing it, but on what's supposed to be the latest bast smartphone you can't do it ? WTF ?!?

In the middle of the range you got Android : Not much firmware flashing because most end-users get all the features they want. The only reason to flash your phone is if your phone maker lags in releasing firmware updates, and some will block you from installing all the applications you want - but restrict you to app stores only. Thankfully the majority of Androids out there do what their users want them to do.

At the other hand you have things like Windows phone and the various incarnation of Palm (PalmOS, WebOS, etc.) - an SDK for developing is pretty much standard on these platforms and you can run pretty much anything on it. No need to flash.

The popularity of iPhone jail-breaking simply stems from Apple's tendency to be control freaks and wanting 100% over the whole "Apple experience".
It's understandable from a marketing point of view, but that's not what users want. But it doesn't matter as there are other more open alternatives to pick from.

RickRolling the iPhone!! (0)

Anonymous Coward | more than 4 years ago | (#30188140)

Being rickrolled is not malicious. It's a privilege.

Published passwords == bad. It's that simple. (1)

badger.foo (447981) | more than 4 years ago | (#30188164)

Publishing your password on the net (which is roughly equivalent to what these lusers have done) borders on criminal negligence. I've ranted about this before (and yes, it was /.ed), and the conclusion remains the same:

if you run with a default password, for root or otherwise, you have effectively published that account's password.

What is bound to happen after you have published your password is left as an exercise to the eader.

Re:Published passwords == bad. It's that simple. (1)

toriver (11308) | more than 4 years ago | (#30188654)

You should not be so quick to dismiss the benefits to known default passwords. Once I had to install an application targeting an Oracle database, but when I got there none of the techs present were Oracle administrators. Luckily, the people who had set up the database hadn't bothered with changing defaults, so I was able to do the install via the SYSTEM user. Didn't check if they also had default on DBA (or was it called SYSDBA?) since that default password is too long to bother with.

Re:Published passwords == bad. It's that simple. (1)

badger.foo (447981) | more than 4 years ago | (#30188992)

Oh, there's certainly a convenience factor, of course. The problem starts when your account with the default password is exposed to the world at large. In the case of the jailbroken iphones there is no sane reason to have a default password - for root of all things - in the first place.

And http://www.defaultpassword.com/?action=dpl&char=d [defaultpassword.com] confirms my hazy memory of the DEC field circus' User: field pass: service - which is good for a few stories in itself, of on-sites changing the password to 'circus' and a few mostly forgotten tales about putting modems into the mix and getting unusual activity from the field account.

Makes your iPhone just a little more exciting. (0)

Anonymous Coward | more than 4 years ago | (#30188290)

Google reader was showing an ad titled "Make your iPhone a little more exciting" with this article. Very exciting indeed!

What, a worm on a platform with no market share? (2, Interesting)

nato10 (600871) | more than 4 years ago | (#30188622)

Doesn't this (finally) put to bed the notion that there are virtually no worms or viruses for Mac OS X simply because hackers don't want to waste their time on a platform with so little market share? The platform targeted by the hackers in this case -- jailbroken iphones running a particular service -- is a fraction of the installed base of Mac OS X computers. It seems that hackers (naturally) select their targets primarily based on ease of exploit -- jailbroken iphones with SSH installed with a default password, for instance, or Microsoft Windows -- than on market share, since any of these platforms still provides tens of millions of potential targets.

I think it's also important to note that the security of Mac OS X extends to the iPhone as well; hackers are apparently unable to successfully compromise the much larger installed base of iPhones, having to content themselves with the much smaller population that has been jailbroken (read, "security compromised").

Why these stories come packaged like this... (1)

xgadflyx (828530) | more than 4 years ago | (#30188936)

Honestly, these headlines of recent need to include the word 'jailbroken' - then I wouldn't have to read them. Really, who cares? If you're jailbreaking your iPhone , man up and secure it. It's no different than any other computing device.

intelligence (0)

Anonymous Coward | more than 4 years ago | (#30188938)

What I don't see is upon installation of openssh it would be easy enough to force the user to change the password? Why don't they just have a simple check within openssh that if the password is the default upon the first login force the user to change the password?

Stop stop stop (1)

loftling (574538) | more than 4 years ago | (#30188944)

Seriously misleading. Next headline: "Toyota Prius prone to nuclear explosion". ... if you remove the engine, put your homebrew uranium fuel rods in it, and forget to read the owner's manual about needing proper coolant.

Passwd is not the solution (1)

grouchyDude (322842) | more than 4 years ago | (#30189454)

One reason why people might still be using the original password, and why this is all a hassle, is that the normal UNIX passwd program cannot be used on the iPhone.

I believe one needs to manually edit a file called /etc/master.passwd

Re:Passwd is not the solution (1)

elijahu (1421) | more than 4 years ago | (#30189690)

You do not know what you are talking about.

While that might be "a" way to change the password, the MobileTerminal program provides a convenient shell from which passwd works just fine. It is strongly recommended that the root and the "mobile" accounts' passwords are changed from their default. Instructions for doing so abound even with screen shots for people who can't be bothered to read. While there is the "hassle" of having to install MobileTerminal, I'm not sure this is really too much trouble for someone that has gone to the effort to jailbreak in the first place.

That being said, Saurik should be able to make the installation process for OpenSSH ask the user to change the passwords. It also should not be enabled by default, or turn itself back on after it is turned off (in my experience the OpenSSH program has a tendency to do both).

NO NO NO... (1)

Anim8me2 (637936) | more than 4 years ago | (#30190864)

NO NO NO... the title for the article should read "First malicious worm for JAILBROKEN iPhones in the wild" because that is the only way to get it and lazy readers will just start running for the hills claiming how insecure the iPhone is.

And by lazy readers I mean tech journalists.

Please don't call it jailbreaking... (1)

KillShill (877105) | more than 4 years ago | (#30190994)

It gives the impression you (the customer) is doing something wrong (breaking out of jail). Call it "removing the DRM". Personally, I don't know why anyone would want to buy a DRM-crippled device for hundreds of dollars and be beholden to 2 mega corporations dictating what you can and can't do with it. But I'll defend to the death the right of the public to do what they please with what they buy (own). F*** corporate rights!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...