The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users' of the attack via …
Even though Apple didn't mean to have the SSH open to the world, I'm still pretty staggered that they chose a default password that is the same on every device. A little foresight would have made this attack nigh on impossible. And I do appreciate that you shouldn't be jail-breaking your phone, but part of the initial setup for the iPhone should be to enter your own passwords.
I wonder when we will see an anti-worm.
That being one that, scans for default passwords and changes it and then gives the user a message saying it has been changed and their new code is.
Some white hat out there, will think they're doing the world a favour.
ING had it coming
They have been warned before that their own security practices are questionable at best. Nevermind that this isn't the usual website p0wn but a reasonably smart `mtan' snatch. Too much of a compliment, really, but probably more of a case of favourable circumstances.
Oh, and the usual note to stop calling criminals hackers just because you're a hack, hmkay.
Anybody that does banking transactions on a jailbroken phone - with a default password - is a fidiot.
What backdoor? Its more a case of RTFM on behalf of all jailbroken fanbois that got hacked. Pwnapple (one famous jailbreak util) has been turning ssh off by default since quite some time now and before that there where really big warnings all over the place.
The vector behind this attack has been in the wild for almost 2 years now. Folks who broke jail and havent heard about this should not be jailbreaking in the first place.
Paris icon seems obvious on this one, though she gets hacked without jailbreaking anything.
Security experts should also advise users NOT to change it to "ohshit" as Sods Law dictates that someone is bound to. They also need to advise anyone who did change their password to "ohshit" in the first place, to change it to something else. But not "alpine". Obviously.
Stupid is as stupid does
Those oh-so-clever malware people screw it up again. If you're changing a password with a worm, why pick one that must be at the top of any list of popular passwords that a cracker would discover in minutes? It isn't like you are going to have to type it in all the time. Simple mistake that allows iPhone users to fix the altered password even if they have already been successfully compromised, courtesy of the first researcher who has a go at it.
"Surfers visiting the site with infected devices are redirected to a phishing site "
"ING Direct told the BBC it planned to warn users' of the attack via its website"
Erm, it's not just me is it?
Apple must be delighted...
... to be able to tell people, "told you so!"
Nothing to see here
So this is NOT an issue with iPhone security, but rather user security. First they jailbreak their phone and SSH is installed and then they fail to change the default password? iPhones that have not been jailbreaked are not affected? Sounds like Apple doesn't have a security problem at all, but rather the hacker crowd who wanted unfettered access to their phone. Too bad they weren't smart enough to protect themselves by following a basic security process of changing the default password.
Not Apple's password
Every time I read these stories I get annoyed. 'Alpine' is not the default root password as defined by Apple. On Mac OS X (which includes the iPhone), there IS no root password, the root account is disabled and SSH is not installed on the device. Jailbreaking involves installing SSH, and it's part of that install procedure which activates and sets a default password. The people at fault here are the numpties who wrote the jailbreak procedure to include a default password and those who leave SSH running with said default password.
So user installs SSH/jailbreaks (one is dependent on the other, right? Haven't looked into it as I'm not getting one). Then said user (sorry, luser) fails to change the default ssh password.
I have one word for that kind of luser: fucking idiot. Or rather, fuckingidiot.
If you don't know what the hell you're doing, don't mess with shit you don't understand. It'll just all end in tears.
As for those who are trying to say "it's a security problem with iPhones"? Do get a clue. Maybe you should see the BOFH for help? I think he's currently in the flooded electrical cage in the sub-basement. If you hurry you can catch him there. Don't worry, it's safe, the power was turned off...
Comes at a price...
Well looks like the cat is well and truly out of the bag now. I bet all those smug people at Apple who warned against jailbreaking your phone, are laughing their arses off to choruses of "we told you so".
Nice to have a device that can do so much, truly a modern technology marvel, however the more complex the devices get, the easier it is to make cracks in their security and abuse them. I stll have my 4 year old LG phone which can just about cope with calls and SMS, not much else. I fancied an iPhone and I would have gone for a jail-break route, but I think I will wait until we can get on top of the bad guys first!
I don't think Apple picked the password, I think it's set by the jailbreak software.
Key question: is this how things would have been been were iPhone app distribution not otherwise tied to the App Store?
I wish the authors of articles about this issue would point out exectly what/where SSH comes in to play, it's kind of a key piece of information - most of the articles I've read suggested that SSH was on the phone, but reuqired enabling however most comments are now suggesting that the ssh is installed rather than enabled as part of the jaibreak process.
So the question is: Who writes an SSH package with a default password? I mean, if you're going to the length of writing an SSH package, you probably ought to know a bit about security...
> Even though Apple didn't mean to have the SSH open to the world, I'm still pretty staggered that they chose a default password that is the same on every device.
SSH isn't installed by Apple, so they don't set a default password. SSH isn't only installed by people jailbreaking their phones, and even that is optional.
How can you blame Apple when they don't even provide the SSH that is being installed?
AFAIK unlike OSX desktops 'alpine' is a factory set root password on the iPhone. There used to be a bug (early 2G jailbreak) where changing the root pass would put the device in a loop on restart, which I assumed was because 'alpine' was hardcoded somewhere in the app stack.
Glad to know
Apple's crack security team is busy writing worms for jailbroken iPhones.
This story is nonsense, everyone knows that malware never targets Apples devices.
Have you morons not seen the adverts?
imaginary iPhone worm doesn't hijacks ING customers
"Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack."
The definition of a worm is something that infects computers without user action and merely connected to a network. As such the 'Ikee-B worm' doesn't qualify.
"Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor"
What backdoor, it uses the default SSH password, the same one the jailbread software uses. The Jailbreak software the the users explicidly installed.
That idiot who created the original worm shouldn't have published the source code. What a dumb ass.
@AC 16:41 re: Lies!
A Jailbroken iPhone is, arguably, no longer an Apple device. It's something that started out as an Apple device but has since been modified extensively.
An analogy would be to try to claim that VW Golf TDIs have unreliable turbos because a few numpties who have chipped their engine management software to increase the boost pressure are suffering from blown turbos.
No, it's not just you. Reminds me of an old newspaper (remember those?) want ad that said "Illiterate? Write for help!"
It's a front door, not a back door
There's no back door involved.
Access through SSH is explicitly allowed on those devices, and the users have taken steps to enable it. Calling it a back door is highly inaccurate and smacks of fear mongering.
The Rick Adjective of the day
I just read these to see what creative adjective El Reg comes up with for Rick Astley.
Mine's the one with the non-jailbroken iPhone in the pocket.
Just seen a TV advert for GNAT Worst's helpful banking app for the iphone. Odds on it gets hit next.
de fuckin ha.
That is all.
Hey, that actually sounds like a bloody good idea. I'll get right on it. ;-)
Just demonstrates that the value of the iPhone is more than just buying the device and the official charges. Used to be called TCO. Whilst it is not right to phish and this is a script kiddie using the work of someone else. But come on if you really must hack a device than also take some responsibility on knowing what to do. And especially when installing ssh. I am gob smacked someone is willing to use the command line yet don change the passwords. Unless they use some other app that tunnels through ssh in which case I stand corrected.
Regardless jailbreaking and using software of questional origin. Well you really need to know what you are doing. Otherwise the cheap approach could cost you. I do wonder how many people who got their os from a newsgroup or torrent are buying and transacting online. Scary stuff.
Oh and btw. When you install osx (the desktop/server version as you don't do that on the iPhone) ssh is enabled during install only as is apple ard. The default user during installation is root and there is also a default password which is different on each machine but is hardware dependent. The moment the install is complete ssh is disabled again and ard is only available with the newly created account. I know as this create ability allows me to install osx fully remotely on a machine without keyboard, screen and not even a DVD drive. Brilliant and working very well.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Google offers up its own Googlers in cloud channel chumship trawl
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?