iPhone owners in Australia awoke this weekend to find their devices targeted by self-replicating attacks that display an image of 1980s heart throb Rick Astley that's not easily removed. The attacks, which researchers say are the world's first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed …
give the guy a medal... sorta
He's actually doing the jail-breaking community a favour - ok, so having the worm reset the pic to ricky is a tad mean and unnecessary, but I guess it forces the kind of person who leaves their default password on to really think about what their phone is actually doing.
I'm waiting for my Dext to be delivered - once it turns up, my jail-broken iPhone is gonna be wiped and sold... although I should point out not because of this worm!! :)
Don't break out of jail
unless you know what you are doing and that probably rules out 98% of mactards. Leave well alone what you don't understand. The unix guys hack away and lock down the SSH if you need it or bin it.
If you're gonna jailbreak, ya gotta be smart enough ta change the passwords.
No lame haxxorz need apply...
The old, old story
One more case of the old, old story. If you don't take security seriously, you're at risk.
Security by Obscurity (ie running a less common OS for which there aren't as many worms in circulation) is only good up to a point.
Moral of the story: if you don't know anything about computer security, find someone who does.
he should have had it also change the ringtone to Never gonna give you up
It's certainly plays right into Apple's hands making sure it's in people's best interest to leave Apple in control of their iPhones.
Not that Apple would create and infect their own handsets with a virus that only attacks jail broken phones , of course not :P
We identified this issue a while ago... Interesting to see that it has now been exploited...
Finally, a use forthe Rickroll
Using to humiliate Jobsientologists. Whas a shzame it didn't set an alarm that played that song every 15 minutes. That would cause a lot of crushed imaposerPhones
"jailbreak" does not imply "ssh"
Jailbreaking doesn't by default install the SSH server. You have to do that yourself, presumably because you want to use it.
So the instructions given for changing the password are a bit silly. No need to install MobileTerminal specially. Just ssh in over wifi (it's why you installed ssh, right?) and run "passwd".
It's hard to believe that anyone who knows enough to want to SSH in to a Un*x system doesn't know how to change a password.
Why don't the jailbreak progs...
...simply disable SSH when they're done?
fix story title
This is NOT an iphone worm and it's incorrect and inflammatory to claim that. It's a work targeting the jailbreaks, nothing more
So a hacked system is insecure --- what a surprise
So I guess this means Rick Astley is officially an Ohrwurm (earworn).
Blanket solution will piss off administrators
I can easily see where providers like AT&T would, in an attempt to prevent this worm from spreading, block port 22. This will, of course, deny many system administrators access to a legitimate tool.
I just hope AT&T will be smarter about it. Maybe block port 22 INCOMING, if they are going to do anything at all. To a large degree, I am surprised they do not block incoming connections, anyway.
Paris, prefers open ports.
"display an image of 1980s heart throb Rick Astley that's not easily removed."
Much like the national conscience, *shudder*.
Seriously though, why the hell do consumer devices have to have default root/admin/super-user passwords? If they never need to be changed you simply ask the user to setup a one time super-user/top-dog password which they need to write down somewhere safe and never reveal to anyone! Then they set up their own password, job done!
If you've an IQ large enough to understand the workings of complex communication gadget, then I am sure you can cope with coming up with two passwords! Even if they are the same one, at least it's not simply the same password across 20 million devices!
PermitRootLogin = no
Seems obvious on (nearly) every sshd install.
We need an option to combine icons, as this is both thumbs up, thumbs down, WTF, FAIL, AND I'll drink to that.
"if owners haven't bothered to change their root password, they represent a gaping hole waiting to be exploited"
"This is NOT an iphone worm and it's incorrect and inflammatory to claim that. It's a work targeting the jailbreaks, nothing more"
Oooh, a touchy Mactard there.
It's a program that targets the jailbreaks on which phone?
Why set port to 22 ?
Don't know about the iphone but I never set the SSH port to 22 or anything like. My router logs over many months show 4-5 attempts a day to connect to 22 but none to the the actual port .
But I guess if you don't know enough to change the password .....
I use a non-trivial account name as the only allowed connection + 20 char hideous password generated from a simple passphrase by a little password protected C program. whose source code and executable is protected by having permissions set to x only and owned by root.
Quote: Seriously though, why the hell do consumer devices have to have default root/admin/super-user passwords?
They do not. And apple did not. It used what should be used to manage consumer devices - certificates and public keys. The password is not accessible and not exposed in the default config. It becomes an issue only once you have hacked the iPhone. Prior to that authorisation to install software, etc is all done via public key cryptography. As far as having different passwords per device, I do not quite see the justification on wasting software development effort on this if it is not an interface that will ever be exposed to the user.
If it runs software, it probably has a default password somewhere. Mostly, in Operating Systems, Security based software(i.e. ssh, firewalls, anti-virus, content filters, etc).
The software in Network Routers (wired or wireless), DSL Modems, VPN hardware, AND YES.. Mobile Phones are just a few fine examples.
Failure to change the default password for your device/pc, or the software within it, will at some point teach you a very disturbing lesson about security.
So. TWO VERY IMPORTANT THINGS we all learned from what happened in Australia?
It CAN happen to YOU too. AND MOST IMPORTANTLY :
Arrrrrrrrr!!! " };> "
Thing is, they don't even install SSH by default. You need to manually install SSH, and the process tells you that you need to change the root password.
Jailbreaking has been made easy, which is good. Out of the box, I believe a jailbroken iphone is secure.
People have to choose to install. If you're doing this you should understand why you're doing it, and also understand the implications. If you do install, don't change passwords and merely get rickrolled, you have been hugely lucky!
@Peter 39: What is a worm?
"This is NOT an iphone worm and it's incorrect and inflammatory to claim that."
Admittedly from Wikipedia:
"A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention."
Sounds like what's happening here, and it's only affecting iPhones. That makes it an iPhone worm.
It might be inflammatory, but it's certainly not incorrect.
'This is not an iPhone worm'
Smells like a turd, looks like a turd, runs on a turd, yup, it's an iPhone worm.
Or are you saying that a jailbroken iPhone isn't an iPhone anymore?
Paris, she's got a clue at least...
A 1980's heartthrob?
That is a bit over-ubiquitous isn't it?
Just shows that Apple was right...
The lock down with a secure AppStore is there for a reason.
@By Peter 39
The last time I checked self replicating code that spreads itself with no user intervention (clicking on a exe) is a worm. Sophos (who should know) back me up on this one. But you are right in one respect it is not meant to be harmful only a public proof of concept.
"So a hacked system is insecure --- what a surprise"
Well actually no, any system that has a "default" password that isn't prompted to be changed automatically on first use is insecure. On first turning on an iphone the correct procedure should be to prompt people to enter their own passowrd and thus replace the default password. The insecurity is built into the system, much like windows, surprise!
Oh Fanboys .....
Did somebody pick on your wittle phone? Awwwww ..... mommie will make it all better; yes she will.
May i second that motion, and follow it up with my own, additional;
Mactards get back in your locked cage
Or get a virus scanner - there's an app for that... oh wait...
Being made to feel like a complete n00b for not changing passwords?
There's an app for that.
"I foolishly had forgot to change my root and user password last time i had jailbroke my phone"
says. it. all. foolishly.
Written by Apple
I wonder if Apple is making a point?
To all the flamers...
... who think it is an iPhone worm and are busy mocking others, consider this. I've taken a Linux build, heavily modified it, left an SSH daemon running on default ports with a well known password and suddenly find myself owned. Do I have a leg to stand on by running (or hopping) to the Linux community or the media shouting "I've found a Linux exploit!!"?
The title should be qualified by jailbroken iPhones
Well, what do people expect?
If you hack a device, install proper security measures and stop bitching about the manufacturer.
Like it or loath it, Apple's default setup on those phones is secure. This stuff is totally beyond their control and it's rather unfair to suggest that it has implications for iPhones.
Apple could prevent some of this kind of nonsense by selling the damn things SIM free without ball-breaking contracts and network lock-ins.
However, in the interim, their product is an iPhone, with their software on the networks that they have agreements with, and not anything else.
That situation will only change when competition increases. We are really only starting to see the emergence of competing platforms, the iPhone has a couple of years' head-start.
Google Android, Nokia's Maemo and perhaps Palm Pré (but it's a remote perhaps) will undoubtedly shake up the market quite a lot and Apple will inevitably relax some of its policies as it will become more concerned about shifting phones and apps than getting money out of network operators.
i.e. we will quite likely see a more iPod like strategy as the touch-screen smart phone with apps becomes a more generic and widespread device.
First thing I did after jailbreaking...
Was turn off SSH. It's a toggle switch ffs.
> any system that has a "default" password that isn't prompted to be changed automatically on first
> use is insecure. On first turning on an iphone the correct procedure should be to prompt people
> to enter their own passowrd and thus replace the default password.
What part of "SSH isn't installed on iPhones by default, the user must first HACK the phone, then must CHOOSE to install it themselves" didn't you understand?
How can you change the password for SSH on the iPhone when first turning it on, if SSH ISN'T INSTALLED IN THE FIRST PLACE? Duh!
Jeez, some people are idiots, and you even put your name to your comment.
No you don't.....but it's still an exploit! If someone else were to gain control of, or negtively influence your system then by definition, it has been exploited. Deliberately/neglitgently failing to secure a system does not exemplify the hole from being an exploit.
re: To all the flamers
No, but if hundreds or thousands of people all do that and someone writes a piece of software that takes advantage of that and self-replicates over the network without user interaction, that IS a linux worm. And it's an iPhone worm, not an exploit, that we're talking about here.
Incidentally, doing that and running to the linux community for help is likely to result in a lot of laughter, after which someone might help you.
So some stupid people who hacked their Iphones and didn't change the passwords are having problems. This isn't news, it would only be news if it happened to Iphones that hadn't been meddled with.
not much a scare
I think this highlights the issues of using jailbroken iphones without really knowing what you're doing or being complaicent.
Most user will not have a jialbroken phone, and those that choose to jailbreak it, should have the technical knowhow to keep it safe, especailly if you install OpenSSH on the thing.
Is this the first true mobile phone worm?
The only other one I can think of is Cabir which only installs when the user chooses 'Yes' three times. This one, from what I can see, requires no user interaction to get installed.
I am seeing a trend in Apple product user's regard for their fellow (less intellectually endowed) users.
Apparently, if something goes wrong with an apple product for any reason, the user is a cretin.
Apple user enables guest account and it overwrites their main account: user is a cretin
Apple user jailbreaks their phone and does some wizardry: user is a cretin.
I wonder which Apple product will be affected next. In any case, I know that whatever the problem is, the user will be to blame...and probably a cretin.
@Greg J Preece
It jailbreaks the iPhone, a device owned and used by both Mac and Windows users, and supported on both platforms. So, ummm, iPhonetards? Oh, and iPodTouchTards, too.
I wouldn't be surprised if the majority of iPhone owners are also Mac owners, but I would be surprised if the majority of iPod Touch owners are. There's just too many of them about.
The iphone is based around FreeBSD and by default you cannot login as root over ssh on true BSD, you need to login as a user with wheel group memembership and have to su up to full root access. Something must be a bit wrong with the Apple implementation of this daemon
How does this work exactly?
I'm thinking it can't possibly work over the 3G connection as no ports are forwarded to the shared IP, or is it shared?
Then that only leaves WIFI to a trusted network. If you don't have any firewalls set up you deserve to be hacked...