iPhone worm hjacks ING customers

Well...

Anybody that does banking transactions on a jailbroken phone - with a default password - is a fidiot.

backdoor?

What backdoor? Its more a case of RTFM on behalf of all jailbroken fanbois that got hacked. Pwnapple (one famous jailbreak util) has been turning ssh off by default since quite some time now and before that there where really big warnings all over the place.

The vector behind this attack has been in the wild for almost 2 years now. Folks who broke jail and havent heard about this should not be jailbreaking in the first place.

Paris icon seems obvious on this one, though she gets hacked without jailbreaking anything.

password change

Security experts should also advise users NOT to change it to "ohshit" as Sods Law dictates that someone is bound to. They also need to advise anyone who did change their password to "ohshit" in the first place, to change it to something else. But not "alpine". Obviously.

Excuse me?!

"Surfers visiting the site with infected devices are redirected to a phishing site "

and

"ING Direct told the BBC it planned to warn users' of the attack via its website"

Erm, it's not just me is it?

Not Apple's password

Every time I read these stories I get annoyed. 'Alpine' is not the default root password as defined by Apple. On Mac OS X (which includes the iPhone), there IS no root password, the root account is disabled and SSH is not installed on the device. Jailbreaking involves installing SSH, and it's part of that install procedure which activates and sets a default password. The people at fault here are the numpties who wrote the jailbreak procedure to include a default password and those who leave SSH running with said default password.

Comes at a price...

Well looks like the cat is well and truly out of the bag now. I bet all those smug people at Apple who warned against jailbreaking your phone, are laughing their arses off to choruses of "we told you so".

Nice to have a device that can do so much, truly a modern technology marvel, however the more complex the devices get, the easier it is to make cracks in their security and abuse them. I stll have my 4 year old LG phone which can just about cope with calls and SMS, not much else. I fancied an iPhone and I would have gone for a jail-break route, but I think I will wait until we can get on top of the bad guys first!

D'oh!

> Even though Apple didn't mean to have the SSH open to the world, I'm still pretty staggered that they chose a default password that is the same on every device.

SSH isn't installed by Apple, so they don't set a default password. SSH isn't only installed by people jailbreaking their phones, and even that is optional.

How can you blame Apple when they don't even provide the SSH that is being installed?

Glad to know

Apple's crack security team is busy writing worms for jailbroken iPhones.

Lies!

This story is nonsense, everyone knows that malware never targets Apples devices.

Have you morons not seen the adverts?

imaginary iPhone worm doesn't hijacks ING customers

"Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack."

The definition of a worm is something that infects computers without user action and merely connected to a network. As such the 'Ikee-B worm' doesn't qualify.

"Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor"

What backdoor, it uses the default SSH password, the same one the jailbread software uses. The Jailbreak software the the users explicidly installed.

Idiots

That idiot who created the original worm shouldn't have published the source code. What a dumb ass.

@AC 16:41 re: Lies!

A Jailbroken iPhone is, arguably, no longer an Apple device. It's something that started out as an Apple device but has since been modified extensively.

An analogy would be to try to claim that VW Golf TDIs have unreliable turbos because a few numpties who have chipped their engine management software to increase the boost pressure are suffering from blown turbos.

@Ross 7

No, it's not just you. Reminds me of an old newspaper (remember those?) want ad that said "Illiterate? Write for help!"

It's a front door, not a back door

There's no back door involved.

Access through SSH is explicitly allowed on those devices, and the users have taken steps to enable it. Calling it a back door is highly inaccurate and smacks of fear mongering.

The Rick Adjective of the day

I just read these to see what creative adjective El Reg comes up with for Rick Astley.

Mine's the one with the non-jailbroken iPhone in the pocket.

GNAT Worst

Just seen a TV advert for GNAT Worst's helpful banking app for the iphone. Odds on it gets hit next.

Regards

Neil

Ha

de fuckin ha.

Karma.

That is all.