Malware cleans out jailbroken iPhones
Miscreants have developed a hacking tool that attacks jailbroken iPhones. iPhone-Privacy-A follows hot on the heels of last weekend's Rickrolling worm that changed the wallpaper on vulnerable iPhones to an image of cheesy '80s pop star Rick Astley. The latest hacking threat exploits the same vulnerability in the iPhone as the …
What became evident to me when I did a test Jailbreak on my iTouch, was that suddenly you no longer have a trusted source. Yes, you have a TON more options to play with and a whole host more apps, but the whole vetting process is lost.
You have NO idea whether what you are installing isn't malware, or contains malware.
Proceed at own risk I suppose, but it sure made me reconsider and I switched back.
unsecured device with default passwords gets pwned! Who'd've thunk?
Like what has been said before, it's only if you install SSH on your iPhone and do not change the root password, kinda like setting up remote desktop on your PC with no username or password.
You don't have to install SSH if you don't want to. That being said it would be nice if the people who make the custom jailbreak firmware would give the option after install to change the root password, rather than having to SSH in and type 'passwd', but whatever.
Small point of correction. Jailbreaking in and of itself does not install or enable anything SSH related. To do this requires the user to manually install OpenSSH using one of the various installers.
So iPhoners, if you're jailbroken but have not installed OpenSSH, you're fine. If you have installed OpenSSH, change the root password to something other than "alpine" and you're fine.
Frankly, can this even be called a worm or virus when all it does is exploit weak passwords? Plus, what's the # of jailbreakers+OpenSSH+default-passowrd really? 100? 250?
Oh yes, don't let me do what I want with my expensive tech, it's not like it's mine anyway. Give me all the limitations of "out-of-the-box" on everything. Ditto installing Linux on a PC that came with Windows, or other such shenanigans.
We should only ever do what Steve Jobs wants us to, hence his halo.
What I really think: For once this isn't Apple's fault. If users can't cope with the idea of changing the default password on a key bit of software then they shouldn't have it.
Call me cynical, but I bet if someone gets deep enough they'll find the hackers are funded through anonymous payoffs in brown envelopes passed between individuals in Raincoats and Trilby's in Cupertino Square.
With the Rick-Rolling incident, it hadn't been observed outside Australia at the time of writing. Has there been any discussion of where this has turned up?
iPwned: why didn't I think of that? :)
David Harley
Other posts on this topic point out that the Rickroll virus is actually a kid in Australia who stole the code of the Dutch worm who's source was released a week prior, he's been thrashed for it and outed publicly from what I've seen. More info can be found on encyclopediadramatica.com search for Ashley Towns it outlines his little attention whoring stunt.
if Apple didn't insist on selling phones operator locked - yeas I know some people jailbreak for other reasons but I reckon a large majority only do it to "unlock" their phone.
Apple seem to have missed an oppertunity in UK and seem to think that it is a good idea to sell 2 variants of the iPhone on the online store - one Orange and one o2 WTF?!?
Bet the people stuck with Mr. Astley as their wallpaper have never been so pleased to see him given that the ikee worm disabled SSH after infecting the phone.
@AC 13:10 - "kinda like setting up remote desktop on your PC with no username or password."
Not really - you can't log in to an account over RDP if it doesn't have a password set
When I first read this article, I completely misread Miscreants as Microsoft, and for a while was pondering over the ethics of MS hacking Apple...
By default this is true. However, you can set a local security policy which activates this behavior.
Paris, non-default behavior.
Just goes to show, security through obscurity is no security at all.
Cue angry wave of mactards rushing to defend Sir Steve's holy widget...
I have always considered Apple actually going after the people that jailbreak the phones. I don't see them being above creating their own "malware," since they are obviously the most knowledgeable about their own holes.
I do see jailbreaking as a potential benefit to them as well, without it no unlocking, and therefore fewer phones sold.
Double-edged sword.
Whether an application that you install on your iDevice is malware or not is completely unrelated to whether you've jailbroken it - witness the Storm8 fuss.
Calling the AppStore a "trusted source" has to be one of the best jokes of the day.
Andy, I think you'll find that the operators are insisting on operator locked devices. AFAIK, ALL devices in this country sold by any of the mobile phone operators are locked (Yes, that included those made by Nokia, Sony Ericsson et al.) hence the Apple store offering the two different models.
Oliver. What a twat. Did you read the article, or for that matter any of the other comments (even the negative ones!)? It's quite clear that this malware targets only jail-broken phones, not all iPhones - the clue is in the title; Malware cleans out JAILBROKEN iPhones. I'd also argue that the iPhone/iPod Touch platform is hardly 'Obscure', maybe it is in your world. Still, why let facts get in the way and miss out on the opportunity to be a troll and bash Apple.
If all of this was actually Apple's work.
Total FAIL. Anyone with the savvy to install and use OpenSSH should know about the security concerns. Most of the stuff you can do using SSH commands can be done with apps anyway; so why would you bother? I just don't get anyone who leaves security stuff set to defaults.
@Oliver Jones - What are you babbling on about, you silly fool?
Did you read the article?
And you have the audacity to use the word 'mactards' - oh dear, now go stand in the corner...
@Warren G - you pays ya money, you takes ya chance - nobody is twisting your arm forcing you to buy or use the gadget. Bottom line, Apple wants the user experience of the device to not be sullied by tons of cruft. The *only* reason Joe Public would want to jailbreak a phone is so it works on a different network. Amazingly enough, it's not the only phone that has this restriction.
As for other reasons to jailbreak - to install apps from Cydia et al - that really is a small niche area, as the vast majority of punters are more than happy with the app store.
Apple users who believe the hype that they are immune from viruses!
Why do people think Apple would be in any way involved with this? While they'd rather you didn't jailbreak your phone, they don't lose any money by your doing so. It's simply not in their interest to cause this kind of press shitstorm, especially when everybody knows that it'd be reported in a way that's negative for Apple.
When seeking the culprits, look at risk/reward. Apple gain very little and would risk a lawsuit that could possibly end them if they did this. Simply not going to happen.
Oh, and it's not a secret iPhone vulnerability that only Apple's developers would know, it's a default password. No skill at all is needed to 'crack' a login and password prompt when you have both the login and the password.
Its misleading to say that this worm can connect to any jailbroken phone. It will only "clear out" jailbroken phones with SSH installed and using the default password. Was this an oversight due to ignorance or a bias to a certain company?
i think it was on El Reg a few years ago that the whole 'smart phone' thing was being discussed and one potential draw back was that if phones run windows or similar then we could have the same virus related problems on our phones as we do on PCs.
So it wasn't windows, but still..
The reason my phone does not have a virus is because when i want SSH on the go, i use a laptop or a netbook. My phone is a phone.... that is all, and it does the job really well!!!
Apple must rubbing their hands with glee whether it was their doing or not! It does seem strange, if you beleive the Mactards that is, than an Apple platform has been comprised twice in a week.
That said, all it exploits is weak SSH passwords so I guess you could at least point the rickrolling at almost anyone with SSH and a duff password. As I've not paid that much attention to the iPhone I've got no idea what OS it runs but I was assuming it'd be nice and proprietery just the way Mr Jobs likes it and if that is the case it could lend some credence and genuine concern to this latest exploit.
It is incorrect to say all phones are operator locked - they (perhaps) used to be, but my last 2 contract phones from o2 came unlocked as did the 2 PAYG ones before them (that is factory unlocked - I didn't have to request them "unlocked" after the fact)
Apple isn't an operator it is the hardware supplier (like Nokia et al - go to Nokia's website and try to buy a handst "locked" to one network!), it no longer has an "exclusive" deal to honor with o2 so (Apple) could easily sell PAYG handsets themselves unlocked (and o2, Orange et al can be free to ask Apple to lock the handsets they sell) - Apple controls the lock status after all via iTunes activation
I had my cash ready to buy yesterday and was dissapointed to see Apple had chosen only to deal with locked handsets for UK customers, so my aptions are now to wait until I'm next abroad and buy from one of the many markets that sell unlocked (both direct from Apple and in local shops) or hope that the situation changes when Voda join in next year - are Apple really going to be so dumb to stock 3 (or more if TMobile and 3 are allowed to supply) lines of PAYG iPhones?
if its just jailbroken phones perhaps its apple doing it or at&t they dont want you to have that functionality and everyone is jailbreaking the way to stop it is to spread fear of a worm that will f your phone
Yeah, I'm talking to you.
For those who claim I did not read the article, kindly remove your head from your derrière and take a deep breath. You need the oxygen - and, quite frankly, it's beginning to show.
If you don't know what "security through obscurity" means, I suggest you read up on the subject. Changing default passwords is security 101, but judging from your reactions, it seems you are more content to live in ignorance and simply flame anyone who implies that Apple users may not have the intelligence God gave a box of cake mix. More fool you.
(Apologies to Simon Travaglia.)
The article, as well as the title insinuates that any jail broken phone is in danger, which is nothing more then a lie designed to smear Apple's reputation and scare iphone owners. In reality there very few phones with SSH installed. I would say the article writer had bad intentions when he wrote the thing.
The first para still says (@17:26)
> allowing hackers to connect to any jailbroken iPhone.
This is clearly untrue; it allows hackers to connect only if (a) ssh is installed and (b) the password has not been set.
People ask me "Why not Jailbreak your iPhone?" Look at all those super cool homebrew apps!
Well, this is why.
All this is is proving yet again that stupid people and tech gear still don't mix. I miss the days when stupid people's only technological problem was any device in their house with a digital clock on it just flashed 12:00 over and over.
Breaking your iPhone and wondering why it won't work is the same as taking the bolt out of the lock in your front door and wondering why your house got robbed. No sympathy for the stupid. The people doing the breaking are the people with just enough know how to be dangerous. Some joker in his basement who thinks he knows more than Cuppertino, but who's whole life is over of he can't emulate Nintendo on his iPhone.
We have two iPhones, they work just fine. Why? We run well reviewed, screened apps in a closed deice. This is like the Windoze users who download cracked games and don't know why they get viruses. NO tech is safe when stupid people go monkeying with the internals. If you want to play "Teh Haxorz" with your phone go buy an Android.
No, O.J. I'm afraid that you did, in fact, get it quite wrong. There's no security / obscurity issue at work here. Apple doesn't claim security by obscurity; they claim security by suggesting that iPhone hacktards not do stupid things that endanger the integrity of the iPhone. As sold by Apple and used as recommended, these malwares will not affect an iPhone. You'd be equally justified suggesting that Ferrari build insecure cars because they don't float.
*
For the record, I don't have an iPhone: I'm stuck with a Win6.1 brick that's distinctly bad at three things:
1. Not crashing.
2. Sending emails.
3. Making phone calls.
Anybody know of any statistics regarding what is getting stored these days and by who?
It would be interesting to know what kinds of data people have on their "open" iPhones.
I assumed the owners were tech savvy and conservative when it comes to storing personal info.
..an icon of a handbag amongst the choices for postings.
It can be used by audiences of flame wars.
Like the one above.
you sir are a tool.
Mac/PC user it is all the same.. USER! Apparently you do not/have not worked in the support arena. Security through obscurity, lol. puh-leez, go back to your winblows fanboi site. The only ones truely intersted in jailbreaking are the few furry teeth and windoze wannabe hackers/script kiddies, and the odd knowledgeable mac user. The average person has no clue as to what "jailbreaking" is and just want to use the damn thing ("breaking" scares a lot of people) to play BS time wasting games. With regards to intelligence, yeah windows users cornered that market...
Those that are jailbreaking thier phones generally have some idea of what they are doing, and if not, and they get iPwnd, well they got what they deserve. Personally I do not own one as I do not have a "need" for one. my samsung phone works just fine as do my macs and pc's.
Who said these iPhone users were mac users?
They are just as likely to be 'tech-savvy' wintards.
What are you prattling on about?
Nothing about idiots enabling SSH services that they don't need, then ignoring the warnings to change their password is "security through obscurity". It's pilot error, pure and simple. You can't even blame modern jail-breaking apps, 'cos as far as I've seen, they all go to some lengths to stop people from hanging themselves.
I think either *you* don't know what that term means, or you still haven't managed to comprehend what's actually going on here. Either way, you're coming over like a clueless gobshite.
nickrw : Who said Remote Desktop had to be RDP? VNC, GTA, LogMeIn, NetSupport to name but a few, all technically Remote Desktop applications just not called Remote Desktop Connection by name.
"... allowing hackers to connect to any jailbroken iPhone."
Does "any" mean "having ssh with a default password", or is this just an error that won't be corrected?
"Oh yes, don't let me do what I want with my expensive tech, it's not like it's mine anyway."
You can do whatever you damned well please with your iPhone. Apple are merely making it clear that if you don't use it the way it was *DESIGNED* to be used, you don't get to demand Apple kiss it better and make it work properly again when you bugger it up.
Believe it or not, EVERY manufacturer imposes similar limitations on their warranties. That's why it's *called* a "limited warranty". If I crash my brand new Nissan Micra into a tree within hours of buying it, Nissan aren't going to fix it for free.
It's called "arse-covering". A concept invented specifically to counter the vast quantities of stupid which appears to be this universe's most abundant resource.
*sigh* It seems that English comprehension is something some of you are not so hot at. I know my second post was a whole eight lines of text, and that might be a little too much for some of you to take in at once, but allow me to offer some help - it seems sorely needed:
@Simon Banyard: Lovely, short, pithy reply, even if a little juvenile. Lacking a little in justification or purpose, though, so we'll move on...
@AC@17:54: Yes, there is a security through obscurity issue here. Why install OpenSSH if you don't care about security? You still using telnet and FTP? As has been said before, most modern jailbreak apps do not require SSH. Are you capable of figuring out implications for yourself, or are you relying on me to spell out everything in my post? If it's the latter, you're going to be disappointed. The fact that these users didn't RTFM and change their passwords is another point, but thought they would be safe, despite it being as clear as day that adding services provides another way in to any device, even though jailbreaks are not common (obscurity). And no, since you seem to have trouble grasping that I'm not actually blaming Apple (shock, horror - NOBODY who has flamed me so far seems to have grasped this simple premise) - the analogy is nothing like a Ferrari that cannot float. It's more like the user buying a boat, and then complaining that it doesn't float because they've drilled a nice large hole in the bottom, and they didn't understand the simple concept of water displacement. AKA user fail.
By the way, why would I give a damn as to what kind of phone you have? Why does it matter?
@Mortal: I thought it was perfectly obvious that user error was the issue. See above. OpenSSH didn't install itself, did it? Does Apple ship the iPhone with OpenSSH? Nope. Did I not say that changing passwords is security 101? Did you even read that far? Then you call ME a tool? That's rich. Next...
@Adam Starkey: Ditto, except you get -2 points for using the word "gobshite" (unspeakably naff - even Simon Banyard managed better) and for not realising what I'm talking about, even though you're the last poster - and you had more time to figure it out than anyone else.
@Ivan Headache: Finally, someone who understands English. Fair point, Ivan - I will agree that I should have said "iPhonetards". My apologies.
Anyone else who has a problem, please, save it for /dev/null. By all means, feel free to disagree with me - but if you want to put words in my mouth or throw around insults like teenage children, do not be surprised if you get treated like one.
Sign up, sign up for The Register's weekly mobile & wireless newsletter - click here
