Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPhone Root Password Hacked in Three Days

Zonk posted more than 7 years ago | from the not-that-it-will-do-anybody-any-good dept.

311

unPlugged-2.0 writes "An Australian developer blog writes that the iPhone root password has already been cracked. The story outlines the procedure but doesn't give the actual password. According to the story: 'The information came from an an official Apple iPhone restore image. The archive contains two .dmg disk images: a password encrypted system image and an unencrypted user image. By delving into the unencrypted image inquisitive hackers were able to discover that all iPhones ship with predefined passwords to the accounts 'mobile' and 'root', the last of which being the name of the privileged administration account on UNIX based systems.' Though interesting, it doesn't seem as though the password is good for anything. The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers."

cancel ×

311 comments

Sorry! There are no comments related to the filter you selected.

Prediction... (4, Insightful)

daveschroeder (516195) | more than 7 years ago | (#19732561)

This will get picked up by blogs, news sites - and, if we're lucky, given a good mangling by sloppy journalists in the mainstream press - as somehow meaning that any iPhone can be "broken into" by a malicious third party, and/or that all iPhones are now "insecure", and/or that iPhones - and all the personal data on them - are now, because of this, vulnerable to remote attack, when none of those things are true.

Also, from TFA and the summary:

"Having the passwords will not do anybody any good for the moment. The iPhone has no console or terminal access, so there is no way to log in as either account. In fact, nobody even seems certain that the accounts access the machine at all, some Internet commentators suggesting that the password file was left over from early development work, or was intentionally included to throw hackers off the scent."

These kind of idiotic replies to the blog post are telling:

Poetic Justice - 04/07/07
So much for Apple being the most secure OS in the world. Welcome to Microsoft's world, Jobs.


Wow, cracking a local password on a file that belongs to a device to which you have physical access?

Stop the presses!

Since iPhones don't have any kind of access that makes this "discovery" meaningful, I'm sure that people will just misunderstand the implications of this, and because of the iPhones popularity - and a lot of peoples' desire to tear it down or create any FUD they can to dissuade interested people from possibly buying an iPhone - I'm sure this and related stories will be big news.

Re:Prediction... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19732603)

Way to have an unbiased reaction yourself there fanboy.

Where the FUCK is iLife '07??? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19732715)

Come ON you homosexual deviants in Cupertino. QUIT FUCKING AROUND and update your fucking software every so often. You mincing faggots are worse than Debian...

Re:Prediction... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19733427)

I know the Gizmodo-troll types think "unbiased" means one can not state the truth, but in reality, "unbiased" means not having any reason to say something that isn't true.

Unbiased does not mean stating both sides equally, because both sides are not always equal. An unbiased opinion on Iraq does not spend half the time saying the war is going well if it's not.

An unbiased opinion on the iPhone does not hesitate to points out its limitations, but doesn't have to spend "equal" time on being negative about it, if its flaws do not warrant it.

The iPhone is quite obviously a good product, with some limitations that might not work out for some people. It is not a 50/50 or middle of the road product, and compared to competitive landscape, it is very impressive on a number of levels.

Also, FYI: Calling anyone a "fanboy" immediately identifies you an ignorant troll and ensures that nothing you have to say is worth hearing.

Re:Prediction... (2, Interesting)

Aladrin (926209) | more than 7 years ago | (#19732617)

"dissuade interested people from possibly buying an iPhone"

What? This wouldn't have that effect at all. It would have the -opposite- effect. Those who had not planned to purchase may think they could mod it like a ps2 and poof, instant super-phone.

Yes, we aren't quite there... But I have little doubt we'll get there pretty quickly.

Now if they manage to unlock it -and- provide access to run any app I compile, I would be very interested.

Re:Prediction... (5, Insightful)

daveschroeder (516195) | more than 7 years ago | (#19732651)

Assuming the iPhone is hacked to the point where it's easily modifiable, yes, it will have the opposite effect in the extremely small niche market.

In the mainstream, this can easily get spun as the iPhone is extremely insecure, and has been "broken into", causing normal people to steer very clear.

Re:Prediction... (5, Funny)

untaken_name (660789) | more than 7 years ago | (#19732897)

Assuming the iPhone is hacked to the point where it's easily modifiable, yes, it will have the opposite effect in the extremely small niche market.

In the mainstream, this can easily get spun as the iPhone is extremely insecure, and has been "broken into", causing normal people to steer very clear.


Doesn't the price tag already do that?

Re:Prediction... (1)

Organic User (1103717) | more than 7 years ago | (#19732975)

Doesn't the price tag already do that?
Apparently no. Gotta love inflation.

Re:Prediction... (0, Interesting)

Anonymous Coward | more than 7 years ago | (#19732911)

Well, Symbian 'viruses' require you to manually allow the installation three times, and some
people believe it's insecure. Even if you could reflash your iPhone with your own firmware
(unlikely without dedicated hardware) what's to stop unofficial ROMs being made available on
the net that contain trojan horses etc, boasting to have some cool new app? All it takes is
one stupid user to download it and have his phonebook copied to Russia, call premium rate
lines without his knowledge etc.

Being spammed on your phone is going to be far more irritating than email spam and, with North
American users paying to receive calls and texts (ha ha ha), will cost big bucks.

Re:Prediction... (0)

Anonymous Coward | more than 7 years ago | (#19733171)

They pay... to RECEIVE calls and texts?

If this is true then the American mobile telephony system is more fucked up then I previously imagined.

Re:Prediction... (0, Offtopic)

fbjon (692006) | more than 7 years ago | (#19733719)

They pay... to RECEIVE calls and texts? If this is true then the American mobile telephony system is more fucked up then I previously imagined.
That's to be expected, the American mobile phone system is fucked up beyond all imagination. :p

Re:Prediction... (1)

Belacgod (1103921) | more than 7 years ago | (#19733729)

Yep, and you can't block them. I've heard tell of groups harassing people by sending thousands of text-messages to one person, overloading their text message quota (if they have texting service). Personally, I don't use texts and I'd like to be unable to recieve them. Lazy friends, pick up the fracking phone and call me.

Re:Prediction... (2, Interesting)

Drizzt Do'Urden (226671) | more than 7 years ago | (#19732711)

IIRC, if the iPhone uses NetInfo like MacOS X does on Macs, that password might be usefull only in single user mode.

Re:Prediction... (2, Informative)

owsla (78381) | more than 7 years ago | (#19733155)

Indeed, NetInfo is probably in place since the complete /etc/passwd has a comment suggesting such at the top:

# User Database
# Note that this file is consulted when the system is running in single-user
# mode. At other times this information is handled by lookupd. By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd's configuration.
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:XUU7aqfpey51o
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false

I'm still amazed that (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19732739)

we read a story about a password to a user account on a phone and don't find that odd at all...

Re:Prediction... (5, Funny)

Dahamma (304068) | more than 7 years ago | (#19732871)

Since iPhones don't have any kind of access that makes this "discovery" meaningful

That pretty much sums up how useless this article was.

By the way, if anyone wants it, you can have the combination to my luggage.

Re:Prediction... (5, Funny)

m0nkyman (7101) | more than 7 years ago | (#19733041)

If it isn't one of the following I'd be shocked:
123 000 999 666

Those four will open 99% of all luggage in the world that doesn't contain a laptop, cash or a gun.

Re:Prediction... (2, Funny)

myatmpinis1234 (697897) | more than 7 years ago | (#19733691)

Guess I better change my ATM pin.

Re:Prediction... (1)

j.sanchez1 (1030764) | more than 7 years ago | (#19733071)

By the way, if anyone wants it, you can have the combination to my luggage.

Is it 1-2-3-4-5?

Re:Prediction... (1)

snowgirl (978879) | more than 7 years ago | (#19733175)

Crap, change my luggage combination!

Re:Prediction... (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#19733107)

Is it 1-2-3-4-5?

Re:Prediction... (0, Redundant)

XxtraLarGe (551297) | more than 7 years ago | (#19733173)

Let me guess: 1-2-3-4-5-6?

Re:Prediction... (1)

XxtraLarGe (551297) | more than 7 years ago | (#19733319)

Argh! darn phone calls making me post late. Anyway, mine's from "Space Balls" :-D

Re:Prediction... (0)

Anonymous Coward | more than 7 years ago | (#19732875)

I don't quite understand your reaction. Well, it's not even a reaction... that stuff hasn't happened yet.

And what makes you think that those things will happen? Well, things like this have been precedented. And you mentioned exactly where the precedent always has happened! Microsoft! 99% of the "vulnerabilities" that get reported here on slashdot simply are not vulnerabilities.

Keep your reaction in until stuff actually happens. It's only the apple and lunix fanboys who give FUD about non-issues.

Re:Prediction... (0)

Anonymous Coward | more than 7 years ago | (#19732893)

Wow, cracking a local password on a file that belongs to a device to which you have physical access?
For someone in IT, you seem to have very little regard for remote exploit potential. Let us say that the root password actually does give some access not previously available to a normal user (or an attacker for that matter). Now, there are a few ways to gain access to that file locally. I am sure you know (since you are in IT right?) that many remote exploits and attacks still require someone to run a program or open a file locally.

There are a few ways to do this, including using "social engineering" to get people. Hell, some one could find an exploit in the iPhone's web browser and then this could potentially become a huge problem. Now, this all hinges on the root password actually giving you something you didn't have before, which it has been speculated to not; however, to say that it is nothing is not stupid but just plain naive.

Re:Prediction... (3, Insightful)

daveschroeder (516195) | more than 7 years ago | (#19733087)

I do have little regard for remote exploits that haven't occurred.

I have a very high regard, on the other hand, for remote exploits that have occurred or are shown to be possible.

You're making a string of assumptions - that the password is even usable (which it may not be), that a remote exploit via the browser is possible, and that even if both happen, that this enables some higher level of access.

Are all of those things possible? Perhaps. But all of those have to be provably true before it justifies knee jerks that the iPhone is somehow "insecure", which are already happening around the blogs.

Also, I didn't say it was nothing. I said this story will probably get mangled to imply that - right now - it's somehow possible or very likely possible to "break into" iPhones remotely. And that's patently incorrect.

Re:Prediction... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19732903)

Oh joy, more Apple shills doing damage control for Apple's iPhone fiasco.

Re:Prediction... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19732995)

Haha...oh yeah, the iPhone is a real "fiasco"...shut the fuck up, faggot.

Re:Prediction... (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19733615)

He's just an anti-apple fanboy wishful thinking.

Re:Prediction... (1)

morgan_greywolf (835522) | more than 7 years ago | (#19733033)

Since iPhones don't have any kind of access that makes this "discovery" meaningful, I'm sure that people will just misunderstand the implications of this, and because of the iPhones popularity - and a lot of peoples' desire to tear it down or create any FUD they can to dissuade interested people from possibly buying an iPhone - I'm sure this and related stories will be big news.


And if it does, so what? Unless you have AAPL stock, why should you care?

In any respect, people aren't that security conscious anyhow. Most people who are even moderately computer literate know that Windows is a buggy, insecure POS. Most people use Windows anyways.

Re:Prediction... (1)

ChakatSanddancer (1106243) | more than 7 years ago | (#19733111)

Just as an FYI, the firmware has alredy been hacked and is currently being disassembled. Arbitrary code execution should happen within the next day or so, if not by the end of the afternoon.

Oh, and there's a zero-day quicktime exploit which may prove useful as well in allowing third party arbitrary code execution as well. Can't give too many details yet, the friend who is working on it is busy with the first approach first. So, yeah, iPhone security is pretty much broken.

Whoo-hoo (5, Funny)

gtrubetskoy (734033) | more than 7 years ago | (#19732575)

Now we can make phone calls as root!

Re:Whoo-hoo (5, Funny)

skuzzlebutt (177224) | more than 7 years ago | (#19732725)

yeah, instead of having to sudo to call my girlfriend...what a pain.

Re:Whoo-hoo (5, Funny)

Silver Sloth (770927) | more than 7 years ago | (#19732963)

Come on, this is /.

You don't call your girlfriend, you download her videos from Pirate Bay.

Re:Whoo-hoo (5, Funny)

Control Group (105494) | more than 7 years ago | (#19733083)

But then she'll make you a sandwich. [xkcd.com]

[It's only been 18 seconds since I hit reply, and, in order to give everyone a chance to post, slashdot requires me to slow down, cowboy!]

Re:Whoo-hoo (1)

jeffasselin (566598) | more than 7 years ago | (#19733757)

But the question is: Are you on Sue's "do her" list?

Re:Whoo-hoo (1)

moderatorrater (1095745) | more than 7 years ago | (#19733073)

"Hi, Anglina, this is root. We've noticed you've been taking a lot of Brad's time lately and we were wondering if you wouldn't mind backing off a bit. Thanks."

Scheduling algorithm? (1)

benhocking (724439) | more than 7 years ago | (#19733711)

Is that supposed to be a scheduling algorithm? If so, are we looking at Round Robin, Earliest Deadline First, Least Slack Time, or Fair Share scheduling?

Why root on OSX (1)

goombah99 (560566) | more than 7 years ago | (#19733639)

1) OSX runs fine without enabling root. indeed enabling root is discouraged. One has full access to root via sudo -s, so actually creating the root user is only a hazard and has no high value in OSX. Even if sudo gets borked you can still get in to root via booting in single user mode.

So I wonder why they enabled root? perhaps when connecting from another computer to run a command via ssh it's a lot fewer steps to type. (don't have to enter the password twice). So I but the idea this is left over from development.

2) However this does bring up some good questions. just how do they manage this phone? Does the local computer need to know the password to get into modify things. Does it mount as a hard disk with write privs to the attached comuter?

Not that big a deal (4, Insightful)

Space cowboy (13680) | more than 7 years ago | (#19732581)

If Apple consider it important (ie: if there actually *is* a use for this, rather than just a false trail, or if they want to make people think that), all they need to do is update the values and/or system libraries in the next software update. They could even change the encryption *mechanism* to make it pretty-much un-brute-forceable if they wanted to. I doubt they need to do that though, just change it to a 31-character string with punctuation/digits etc.

Whereas this *is* news (hell, I'd submit it!), I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.

Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market. It only *benefits* them if there are more used phones in circulation running OSX - even if it was a hand-me-down from the big-brother/sister who went and bought the new one...

If this truly is the "third leg" of Apple's business, someone will get yelled at internally, and the next update will fix it. End of story.

Simon.

Re:Not that big a deal (1)

numbski (515011) | more than 7 years ago | (#19732707)

Now, understand something here - I don't own an iPhone.

Now that we have that out of the way, if you have a unix system or device, and you have physical access to the system, don't know the root password, and we'll pretend for the moment that you can't drop it to single user mode, how do you get in?

Usually? If it's a filesystem you can read, mount said filesystem on another box, change the passwd file, and update any shadow files/database files. Now, I would HOPE that apple didn't go porting the entire netinfo system over, so what we should be clamoring for is that encrypted system image. If someone can get at that filesystem, then all of this becomes moot. Edit the filesystem, update your phone. :)

I know there's an iPhone teardown out there someplace already. There's probably a jtag on there where you could enable a serial port...

Re:Not that big a deal (2, Insightful)

Space cowboy (13680) | more than 7 years ago | (#19732801)

DMG's are encrypted with AES (at least I'm reasonably sure that's the case). The options on 'Disk Utility' when you select encryption are 'none', '128-bit', and '256-bit'. Given that they opted for an encrypted DMG in the first place, and that mounting this (and copying to flash) is not a common operation, I'd guess they went for the 256-bit key.

If so, that's going to take a while to break [grin]. On Leopard (and I'm guessing Apple engineers will be using Leopard :-) there's an indication of how good the chosen password is for a DMG as you create it. I'm guessing they chose a good one, because of that warning...

Simon

Re:Not that big a deal (3, Interesting)

spotter (5662) | more than 7 years ago | (#19732957)

you don't go after breaking the password, you go after finding where apple stored it. If it's encrypted, the iphone has to be able to decrypt it, therefore has to have the password available.

see how the original xbox hacker (whose name I forget) captured it's encryption key by "simply" (yeah, not that simple) monitoring the bus.

Re:Not that big a deal (5, Funny)

Leto-II (1509) | more than 7 years ago | (#19732867)

I'd submit it!

Is this like the geek equivalent of the frat-boy phrase, "I'd hit it!"?

Re:Not that big a deal (1)

langelgjm (860756) | more than 7 years ago | (#19733431)

"I'd hit it!"?

Speak for yourself. I'm not that desperate.

Re:Not that big a deal (4, Interesting)

0xdeadbeef (28836) | more than 7 years ago | (#19733403)

I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.

Then you understand nothing. The iPhone critics are thinking "this is a fully-fledged handheld computer, running the same operating system as my laptop, that has been intentionally crippled to protect the artificial market segmentation desired by AT&T and Apple."

they've never done it for iPods... (3, Interesting)

SuperBanana (662181) | more than 7 years ago | (#19733599)

Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market.

Except they don't do it for iPods. Each new "generation" of the iPod has run a different firmware *and* had different capabilities, like being able to search. The older iPods never got the functionality of the newer ones, ever. Clickwheel iPods can't "search", nor do they get the newer iPod games, etc. This is just like digital camera manufacturers, home network gear makers, etc. Very, very, very rarely do they take advantage of the firmware updates to increase functionality in any way. Why should they, when they can make you but version N+1?

Most of the time they update the iPod firmware only to give it compatibility with the latest iTunes, and these days, the only updates to iTunes are security fixes and bloat (the glorified pedometer, Apple TV, the iPhone, etc. Anyone else remember when you could sync contacts and appointments onto your iPod through iSync?) My second-gen nano (or Mini, or whatever the hell it's called these days) still crashes 50% of the time when I go to play a podcast after syncing it with my mac. I'm not holding my breath waiting for them to fix it.

Passwords (3, Informative)

Anonymous Coward | more than 7 years ago | (#19732607)

The password for root is "alpine"
The "mobile" user accounts password is "dottie"

Re:Passwords (5, Funny)

techpawn (969834) | more than 7 years ago | (#19732811)

More secure than Microsoft whose default passwords are usually blank.

Re:Passwords (0)

Anonymous Coward | more than 7 years ago | (#19732833)

Cool! I just managed to install Skype on my iPhone. Bye bye AT&T, Skype, here I come!

Re:Passwords (5, Funny)

Anonymous Coward | more than 7 years ago | (#19732879)

Apple is fucked. Btw "root alpine" is an anagram for "rape lotion", how appropriate.

Re:Passwords (0)

Anonymous Coward | more than 7 years ago | (#19733053)

Interesting...

I'd have thought it would be the other way around, since Alpine
is a manufacturer of audio and other equipment for automobiles
(although they apparently are in bed with Microsoft on some projects
such as the Acura RL's navigation system).

And Dottie was the beleaguered wife of the character in "Armageddon"
who discovered the incoming comet, IIRC...

Re:Passwords (5, Informative)

antiNeo2000 (981119) | more than 7 years ago | (#19733167)

You've got it backwards. The root password is "dottie" and the mobile password is "alpine".

Re:Passwords (1)

ceeam (39911) | more than 7 years ago | (#19733435)

If true that only means that those passwords are irrelevant and not part of security mechanism.

Re:Passwords (0)

Anonymous Coward | more than 7 years ago | (#19733537)

BAD PASSWORD: it is based on a dictionary word

I'm still amazed that... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19732637)

we read a story about a password to a user account on a phone and don't find that odd at all.

Created for... (5, Funny)

whisper_jeff (680366) | more than 7 years ago | (#19732673)

...or could have been included to create a 'false trail' for hackers."

Or it was created to generate topics on Slashdot when it's discovered...

Root user... (3, Insightful)

God of Lemmings (455435) | more than 7 years ago | (#19732683)

Perhaps this would be somewhat alarming if there was a root
user enabled in OS X to begin with.

This Password Is Dead. (0)

Anonymous Coward | more than 7 years ago | (#19732691)

Al's just pining for the fjords! But it's positively Slashdotty to link to a 92.5 megabyte disk image on a front page article.

Oh GOD. WHEN WILL THE FUD END???????? (-1, Troll)

br14n420 (1111329) | more than 7 years ago | (#19732703)

"An Australian developer blog writes that the iPhone root password has already been cracked. ....
  Though interesting, it doesn't seem as though the password is good for anything. The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers."


No, It's not really interesting. This sounds pretty normal and if your employer is listening, he needs to quickly fire you for wasting his resources on this lame shit about the iPhone.

What's next? Another story about how 2% of something customer service related at Apple or ATT is A GODDAMNED MOTHERFUCKING EPIDEMIC?

Thanks.

Re:Oh GOD. WHEN WILL THE FUD END???????? (1)

BobMcD (601576) | more than 7 years ago | (#19732939)

Do not try and end the FUD... that's impossible. Instead only try to realize the truth... There is no FUD.

Re:Oh GOD. WHEN WILL THE FUD END???????? (0)

Anonymous Coward | more than 7 years ago | (#19733541)

There is no Dana, only Fuud!

Netinfo? (5, Informative)

Anonymous Coward | more than 7 years ago | (#19732727)

I know I'm just an AC - so this will get modded waaaaaay down, but:

This isn't the password for the running account - you'd have to boot the phone into single-user mode. The running passwords would be stored in Netinfo.

This is going to turn into a lot of FUD....

Re:Netinfo? (2, Informative)

Anonymous Coward | more than 7 years ago | (#19732955)

Here's a good description of how and where passwords are stored in OS X using netinfo

http://www.dribin.org/dave/blog/archives/2006/04/2 8/os_x_passwords_2/ [dribin.org] ....seriously - this is an issue - but even if there was a terminal app right on the main screen of the darn phone - they still couldn't log in with it. ....THEY NEED TO GET INTO NETINFO!

Passwords (0, Redundant)

ahg (134088) | more than 7 years ago | (#19732737)

For the curious... The article links to a another page with the passwords here [neohapsis.com]

Too lazy to look... root is "dottie" and the user mobile is "alpine".

digg (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19732791)

Digg had all this yesterday.

Mmmmm, honey..... (2, Funny)

Itninja (937614) | more than 7 years ago | (#19732749)

"...or could have been included to create a 'false trail' for hackers."
If this really is a honeypot 'password', that'd be pretty cool. They should have some code that will covertly download the entire Jim Neighbors catalog whenever the root password is accessed.

Re:Mmmmm, honey.....(Oops, should be Nabors) (2, Funny)

andawyr (212118) | more than 7 years ago | (#19732825)

Yeah? That'd be great, since I *love* Jim Nabors...

phew (5, Funny)

packetmon (977047) | more than 7 years ago | (#19732783)

Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
alpine (mobile)
dottie (root)
guesses: 2 time: 0:00:00:16 (3) c/s: 551883 trying: royour - b1o2w8
For a second I was imagining the hoRRORble marketing money they would have had to spend if they would have cracked it and it would have read:

windows (mobile)
blows (root)

or

gates (mobile)
sucks (root)

Re:phew (1)

Minwee (522556) | more than 7 years ago | (#19732979)

Or

netscapeengineers (mobile)
areweenies (root)

root disabled? (0)

Anonymous Coward | more than 7 years ago | (#19732789)

Apple ships their computers with root disabled by default. I'd be very surprised if the phone wasn't the same. That would be quite a blunder on apple's part. If its not enabled, the password does you no good anyhow. I of course would love to see some useful hacks for this device as I'm typing on it right now. I'm sure the iPhone is a true hackers dream device. Please bring me a terminal app!

Re:root disabled? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19732835)

I think you'll find an OpenMoko [openmoko.org] linux mobile+wifi phone is a "true hackers dream device", not an anaemic locked-down lump like an iphone.

Re:root disabled? (1, Offtopic)

OldeTimeGeek (725417) | more than 7 years ago | (#19733179)

You may find that it's a "true hackers dream device" when you can actually find one.

As it has been delayed until October [linuxdevices.com] at the earliest, I guess we'll just have to wait to see...

Re:root disabled? (4, Interesting)

tgatliff (311583) | more than 7 years ago | (#19733461)

I would be impressed if korn is running on any stty, as there really should be no need for running a shell on a production unit. I am not going to believe this "trying to throw off" business, though... That USB interface is just way too handy to not do terminal interfacing during development/testing... The trick is understanding how they were interfacing to it, though. I strongly suspect that it is just a matter of time before someone invests the time to figure it out...

In my opinion, the biggest news here is not as how it was reported, but rather that people now can easily modify the default image and try booting it on the iPhone...

Re:root disabled? (1)

djh101010 (656795) | more than 7 years ago | (#19733693)

In my opinion, the biggest news here is not as how it was reported, but rather that people now can easily modify the default image and try booting it on the iPhone...

Hmmm... drop in an init script or two to kick off a terminal window? is there a terminal.app anywhere, or X11 hooks? I should download the image and play around a bit...

Is someone really trying... (1)

Kjella (173770) | more than 7 years ago | (#19732845)

...to run a smear campaign against Apple? I'm sure this will get reported with all the fury of the iTMS metadata, which was blown up huge in media yet those I know who uses it merely shrugged. I'm sure we'll get all the "iPhones are root'ed" with all due reference to what the root account is on a Mac, yet only with a tiny mention that you can't actually do anything with it on the iPhone. Apple and Macs have always been harassed for being too expensive or underpowered or one-buttoned etc. but there's always been an ounce of truth in there, right now it seems like there's fake grassroot campaigns of FUD, FUD and FUD...

Re:Is someone really trying... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19733021)

Waaah! Waaaaah! Waaaaaaaah! :'-(

Re:Is someone really trying... (0)

Anonymous Coward | more than 7 years ago | (#19733027)

HOw do you know they can't do anything with it? Operators can upgrade/change software
over-the-air (OTA) without your knowledge. Perhaps this 'account' allows for silent
install of firmware updates. If operators can do it, 3rd parties can too.

Re:Is someone really trying... (1)

dcskier (1039688) | more than 7 years ago | (#19733043)

There are always going to be fanboys and haters. We've heard for weeks from the mac fanboys who have had 2-3 articles on the front page every day about how amazing the iPhone will be. And I'm sure for the next week or two we'll have a few posts about the flaws in the device. Macs get harassed for certain things just as Windows is harassed for nearly everything and even Linux is harassed for certain aspects.

I don't think there's a grass roots campaign conspiracy running against the iPhone, but I'm sure you will now be hearing from all of the haters as they've wanted for their day to rant on it, and each flaw will be blown out of proportion just as each feature was hyped before the release.

Two biases don't make a right... but hey this is slashdot.

Re:Is someone really trying... (1)

Vexorian (959249) | more than 7 years ago | (#19733449)

Yes, cause any negative news story about apple is obviously a lie.

Apple Security == Myth (0)

Anonymous Coward | more than 7 years ago | (#19732873)

Another shining example of how terrible the security with mac related products actually is [theblackan...ball.co.uk] .

Re:Apple Security == Myth (0)

Anonymous Coward | more than 7 years ago | (#19733377)

Wow this is HUGE news! Sure glad you posted it!

Re:Apple Security == Myth (0)

Anonymous Coward | more than 7 years ago | (#19733425)

One thing that isn't a myth: Apple is a filthy DRM merchant.

Egads (1, Offtopic)

Reason58 (775044) | more than 7 years ago | (#19732927)

I hope this thing isn't phoning home. Literally.

Re:Egads (1)

another_fanboy (987962) | more than 7 years ago | (#19733279)

I hope this thing isn't phoning home. Literally.

So long as it does not charge for the call.

Why this won't do any good (3, Funny)

sjonke (457707) | more than 7 years ago | (#19732993)

The article left out the detail that the reason these passwords won't do you any good is that you only get 3 tries to enter them before your locked out. Goop lick.

Re:Why this won't do any good (1)

BobMcD (601576) | more than 7 years ago | (#19733039)


Wait, so I only get three chances to input a password I already know?

DAMMIT ALL TO HELL!!! THAT'S COMPLETELY IMPOSSIBLE!!!

Re:Why this won't do any good (2, Informative)

Random832 (694525) | more than 7 years ago | (#19733113)

I think it was intended as a subtle dig at the usability of the iPhone "keyboard".

Re:Why this won't do any good (3, Insightful)

iabervon (1971) | more than 7 years ago | (#19733231)

Actually, the reason these passwords won't do you any good is that you don't get any chances to enter them, because it doesn't have a login prompt on anything that's exposed in production phones.

Passwords on my device (3, Interesting)

nurb432 (527695) | more than 7 years ago | (#19733009)

Shouldn't be hidden from me anyway, its MY phone, i bought it, its MINE.. If i want to do something stupid and brick it in the process, its my choice. ( as long as i don't go and cry to Apple for a free replacement )

Re:Passwords on my device (4, Insightful)

mr_spatula (126119) | more than 7 years ago | (#19733117)

If it's really YOURS, then why do you have to activate it via AT&T before it can be used, eh?

Re:Passwords on my device (2, Insightful)

Creepy Crawler (680178) | more than 7 years ago | (#19733365)

Thats because USA nickel-and-dime culture sucks.

Ill probably get the European model. Unlocked from any carrier, and supports better protocols.

Re:Passwords on my device (1)

Achoi77 (669484) | more than 7 years ago | (#19733177)

Perhaps it was just tucked away under the rug because Apple didn't have the time to bother to spend additional money removing it completely. If Apple (or whomever is speaking on it's behalf) is telling the truth and truly it doesn't really do anything, then it's just some clutter. Besides, what's with the passwords anyways? Using whole words, one that starts with the first letter of the alphabet? Not a single number? It's obviously not meant to be hidden that deep.

Image downloading?! (0)

Anonymous Coward | more than 7 years ago | (#19733015)

Holy cow! I cannot believe someone linked to the restore image archive and that it hasn't been pulled from the apple site yet! Aye carumba.

I'll just hang onto this file for a while until someone writes an emulator... then who knows if anything good or interesting could be done with it...?

Custom software (2, Interesting)

suv4x4 (956391) | more than 7 years ago | (#19733287)

Yes, probably this is the default phone password which the phone uses to "autologin" into itself on startup, and as such isn't useful for "hacking" into the phone remotely.

But you should consider: a) the phone doesn't support custom software b) thousands of geeks who bought the phone want to write apps for it.

Maybe knowing the root login is a tiny step in that direction, if you get what I mean. I have the feeling we'll be seeing AT&T disabling remotely phones that have been hacked with custom apps. Same as MS did with modded XBOX360.

as there is a root (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19733329)

Then I guess it is a multiuser system, then several people should be able to login, ah..., make phone call, on the same phone simultaneously. God, this is revolutionary! I have never seen a phone like this.

Theories (2, Funny)

suv4x4 (956391) | more than 7 years ago | (#19733331)

The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers.

Even better, I suspect this is the major reason Leopard was delayed. iPhone's software was completed all along: all those OSX developers were assigned to create numerous false trails for hackers, on the iPhone.

Linus is right (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19733385)

I am with Linus on this one.

I'm wondering if it's intentional (4, Interesting)

jmichaelg (148257) | more than 7 years ago | (#19733477)

I'm wondering if perhaps Apple wants the phone cracked. AT&T doesn't control activation, Apple does. If the phone is cracked then people could buy an iPhone and if another carrier was willing, activate it with some other carrier than AT&T. There are lots of people out there who can't stand AT&T so it's not as if we're only talking about 2 or 3 hackers doing this.

Jobs could play the innocent claiming that hackers did it all the while happy that yet another iPhone went out the door.

from full-disclosure (3, Informative)

shivan (12148) | more than 7 years ago | (#19733545)

Re: [Full-disclosure] iPhone Security Settings

From: Erik Tews (e_tewscdc.informatik.tu-darmstadt.de)
Date: Sun Jul 01 2007 - 17:20:37 CDT

    * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Montag, den 02.07.2007, 00:07 +0200 schrieb Fabio Pietrosanti (naif):
> There are a couple of user with their password:
>
> root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
> mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
>
> Does someone have some time to arrange a quick john session (should be
> quick)?

Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
alpine (mobile)
dottie (root)
guesses: 2 time: 0:00:00:16 (3) c/s: 551883 trying: royour - b1o2w8

Yes, it was quick

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>