back to article World's first iPhone worm Rickrolls angry fanbois

iPhone owners in Australia awoke this weekend to find their devices targeted by self-replicating attacks that display an image of 1980s heart throb Rick Astley that's not easily removed. The attacks, which researchers say are the world's first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed …

COMMENTS

This topic is closed for new posts.
  1. Law
    Pint

    give the guy a medal... sorta

    He's actually doing the jail-breaking community a favour - ok, so having the worm reset the pic to ricky is a tad mean and unnecessary, but I guess it forces the kind of person who leaves their default password on to really think about what their phone is actually doing.

    I'm waiting for my Dext to be delivered - once it turns up, my jail-broken iPhone is gonna be wiped and sold... although I should point out not because of this worm!! :)

  2. Anonymous Coward
    FAIL

    Don't break out of jail

    unless you know what you are doing and that probably rules out 98% of mactards. Leave well alone what you don't understand. The unix guys hack away and lock down the SSH if you need it or bin it.

  3. gollux
    Grenade

    Bout time...

    If you're gonna jailbreak, ya gotta be smart enough ta change the passwords.

    No lame haxxorz need apply...

  4. Il Midga di Macaroni

    The old, old story

    One more case of the old, old story. If you don't take security seriously, you're at risk.

    Security by Obscurity (ie running a less common OS for which there aren't as many worms in circulation) is only good up to a point.

    Moral of the story: if you don't know anything about computer security, find someone who does.

  5. Kevin 6
    Happy

    hmm

    he should have had it also change the ringtone to Never gonna give you up

  6. David Simpson 1
    Thumb Down

    :P

    It's certainly plays right into Apple's hands making sure it's in people's best interest to leave Apple in control of their iPhones.

    Not that Apple would create and infect their own handsets with a virus that only attacks jail broken phones , of course not :P

  7. Anonymous Coward
    Alert

    Old News

    We identified this issue a while ago... Interesting to see that it has now been exploited...

    http://e-sentinel.com/October-Newsletter-iPhone-Security-pg10990.html

  8. Nordrick Framelhammer
    Thumb Up

    Finally, a use forthe Rickroll

    Using to humiliate Jobsientologists. Whas a shzame it didn't set an alarm that played that song every 15 minutes. That would cause a lot of crushed imaposerPhones

  9. Bruce Hoult

    "jailbreak" does not imply "ssh"

    Jailbreaking doesn't by default install the SSH server. You have to do that yourself, presumably because you want to use it.

    So the instructions given for changing the password are a bit silly. No need to install MobileTerminal specially. Just ssh in over wifi (it's why you installed ssh, right?) and run "passwd".

    It's hard to believe that anyone who knows enough to want to SSH in to a Un*x system doesn't know how to change a password.

  10. Charles 9

    Why don't the jailbreak progs...

    ...simply disable SSH when they're done?

  11. Peter 39
    FAIL

    fix story title

    This is NOT an iphone worm and it's incorrect and inflammatory to claim that. It's a work targeting the jailbreaks, nothing more

  12. Anonymous Coward
    Happy

    So?

    So a hacked system is insecure --- what a surprise

  13. Winkypop Silver badge
    Happy

    Hahhahaaaahaa

    That's all...

    hahahaaahhaaaa

  14. Antti Roppola

    Ear worm

    So I guess this means Rick Astley is officially an Ohrwurm (earworn).

  15. Alan W. Rateliff, II
    Paris Hilton

    Blanket solution will piss off administrators

    I can easily see where providers like AT&T would, in an attempt to prevent this worm from spreading, block port 22. This will, of course, deny many system administrators access to a legitimate tool.

    I just hope AT&T will be smarter about it. Maybe block port 22 INCOMING, if they are going to do anything at all. To a large degree, I am surprised they do not block incoming connections, anyway.

    Paris, prefers open ports.

  16. hikaricore
    Thumb Up

    iPwned

    iPwned

  17. Anonymous Coward
    WTF?

    Arrrghh!

    "display an image of 1980s heart throb Rick Astley that's not easily removed."

    Much like the national conscience, *shudder*.

    Seriously though, why the hell do consumer devices have to have default root/admin/super-user passwords? If they never need to be changed you simply ask the user to setup a one time super-user/top-dog password which they need to write down somewhere safe and never reveal to anyone! Then they set up their own password, job done!

    If you've an IQ large enough to understand the workings of complex communication gadget, then I am sure you can cope with coming up with two passwords! Even if they are the same one, at least it's not simply the same password across 20 million devices!

  18. MidnighToker
    Go

    PermitRootLogin = no

    Seems obvious on (nearly) every sshd install.

  19. Bad Beaver
    Pint

    I certainly

    LOLed

    We need an option to combine icons, as this is both thumbs up, thumbs down, WTF, FAIL, AND I'll drink to that.

  20. blackworx
    Thumb Up

    Hole

    "if owners haven't bothered to change their root password, they represent a gaping hole waiting to be exploited"

    there, fixed

  21. Greg J Preece

    @Mactard

    "This is NOT an iphone worm and it's incorrect and inflammatory to claim that. It's a work targeting the jailbreaks, nothing more"

    Oooh, a touchy Mactard there.

    It's a program that targets the jailbreaks on which phone?

  22. Keith Oldham
    Linux

    Why set port to 22 ?

    Don't know about the iphone but I never set the SSH port to 22 or anything like. My router logs over many months show 4-5 attempts a day to connect to 22 but none to the the actual port .

    But I guess if you don't know enough to change the password .....

    I use a non-trivial account name as the only allowed connection + 20 char hideous password generated from a simple passphrase by a little password protected C program. whose source code and executable is protected by having permissions set to x only and owned by root.

  23. Anton Ivanov
    WTF?

    Re: Arrrghh!

    Quote: Seriously though, why the hell do consumer devices have to have default root/admin/super-user passwords?

    They do not. And apple did not. It used what should be used to manage consumer devices - certificates and public keys. The password is not accessible and not exposed in the default config. It becomes an issue only once you have hacked the iPhone. Prior to that authorisation to install software, etc is all done via public key cryptography. As far as having different passwords per device, I do not quite see the justification on wasting software development effort on this if it is not an interface that will ever be exposed to the user.

  24. Daemon ZOGG
    Pirate

    RTFM...

    If it runs software, it probably has a default password somewhere. Mostly, in Operating Systems, Security based software(i.e. ssh, firewalls, anti-virus, content filters, etc).

    The software in Network Routers (wired or wireless), DSL Modems, VPN hardware, AND YES.. Mobile Phones are just a few fine examples.

    Failure to change the default password for your device/pc, or the software within it, will at some point teach you a very disturbing lesson about security.

    So. TWO VERY IMPORTANT THINGS we all learned from what happened in Australia?

    It CAN happen to YOU too. AND MOST IMPORTANTLY :

    Read

    The

    F***ing

    Manual

    Arrrrrrrrr!!! " };> "

    ;)

  25. Nick L

    @Charles 9

    Thing is, they don't even install SSH by default. You need to manually install SSH, and the process tells you that you need to change the root password.

    Jailbreaking has been made easy, which is good. Out of the box, I believe a jailbroken iphone is secure.

    People have to choose to install. If you're doing this you should understand why you're doing it, and also understand the implications. If you do install, don't change passwords and merely get rickrolled, you have been hugely lucky!

  26. Anonymous Coward
    FAIL

    @Peter 39: What is a worm?

    "This is NOT an iphone worm and it's incorrect and inflammatory to claim that."

    Admittedly from Wikipedia:

    "A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention."

    Sounds like what's happening here, and it's only affecting iPhones. That makes it an iPhone worm.

    It might be inflammatory, but it's certainly not incorrect.

  27. Anonymous Coward
    Paris Hilton

    @Peter 39

    'This is not an iPhone worm'

    Smells like a turd, looks like a turd, runs on a turd, yup, it's an iPhone worm.

    Or are you saying that a jailbroken iPhone isn't an iPhone anymore?

    Paris, she's got a clue at least...

  28. Anonymous Coward
    Joke

    What?

    Rick Astley?

    A 1980's heartthrob?

    That is a bit over-ubiquitous isn't it?

  29. studentrights
    Happy

    Just shows that Apple was right...

    The lock down with a secure AppStore is there for a reason.

  30. phoenix
    FAIL

    @By Peter 39

    The last time I checked self replicating code that spreads itself with no user intervention (clicking on a exe) is a worm. Sophos (who should know) back me up on this one. But you are right in one respect it is not meant to be harmful only a public proof of concept.

  31. Steve Brooks

    insecure

    "So a hacked system is insecure --- what a surprise"

    Well actually no, any system that has a "default" password that isn't prompted to be changed automatically on first use is insecure. On first turning on an iphone the correct procedure should be to prompt people to enter their own passowrd and thus replace the default password. The insecurity is built into the system, much like windows, surprise!

  32. Doug Glass
    Go

    Oh Fanboys .....

    Did somebody pick on your wittle phone? Awwwww ..... mommie will make it all better; yes she will.

  33. Andy 70
    Thumb Up

    @Winkypop

    May i second that motion, and follow it up with my own, additional;

    haaaaahahahahahahahaaaahahahaha!

    Many Thanks.

  34. Anonymous Coward
    Grenade

    Mactards get back in your locked cage

    Or get a virus scanner - there's an app for that... oh wait...

  35. TeeCee Gold badge
    Coat

    Rickrolling.

    Being made to feel like a complete n00b for not changing passwords?

    There's an app for that.

  36. Piers
    Alert

    "I foolishly had forgot to change my root and user password last time i had jailbroke my phone"

    says. it. all. foolishly.

  37. McMoo

    Written by Apple

    I wonder if Apple is making a point?

  38. Anonymous Coward
    Stop

    To all the flamers...

    ... who think it is an iPhone worm and are busy mocking others, consider this. I've taken a Linux build, heavily modified it, left an SSH daemon running on default ports with a well known password and suddenly find myself owned. Do I have a leg to stand on by running (or hopping) to the Linux community or the media shouting "I've found a Linux exploit!!"?

  39. David 34

    The title should be qualified by jailbroken iPhones

    Well, what do people expect?

    If you hack a device, install proper security measures and stop bitching about the manufacturer.

    Like it or loath it, Apple's default setup on those phones is secure. This stuff is totally beyond their control and it's rather unfair to suggest that it has implications for iPhones.

    Apple could prevent some of this kind of nonsense by selling the damn things SIM free without ball-breaking contracts and network lock-ins.

    However, in the interim, their product is an iPhone, with their software on the networks that they have agreements with, and not anything else.

    That situation will only change when competition increases. We are really only starting to see the emergence of competing platforms, the iPhone has a couple of years' head-start.

    Google Android, Nokia's Maemo and perhaps Palm Pré (but it's a remote perhaps) will undoubtedly shake up the market quite a lot and Apple will inevitably relax some of its policies as it will become more concerned about shifting phones and apps than getting money out of network operators.

    i.e. we will quite likely see a more iPod like strategy as the touch-screen smart phone with apps becomes a more generic and widespread device.

  40. Georgees

    First thing I did after jailbreaking...

    Was turn off SSH. It's a toggle switch ffs.

  41. Anonymous Coward
    Thumb Up

    @Steve Brooks

    > any system that has a "default" password that isn't prompted to be changed automatically on first

    > use is insecure. On first turning on an iphone the correct procedure should be to prompt people

    > to enter their own passowrd and thus replace the default password.

    What part of "SSH isn't installed on iPhones by default, the user must first HACK the phone, then must CHOOSE to install it themselves" didn't you understand?

    How can you change the password for SSH on the iPhone when first turning it on, if SSH ISN'T INSTALLED IN THE FIRST PLACE? Duh!

    Jeez, some people are idiots, and you even put your name to your comment.

  42. Adam Salisbury
    Headmaster

    @AC 10:13

    No you don't.....but it's still an exploit! If someone else were to gain control of, or negtively influence your system then by definition, it has been exploited. Deliberately/neglitgently failing to secure a system does not exemplify the hole from being an exploit.

  43. Remy Redert

    re: To all the flamers

    No, but if hundreds or thousands of people all do that and someone writes a piece of software that takes advantage of that and self-replicates over the network without user interaction, that IS a linux worm. And it's an iPhone worm, not an exploit, that we're talking about here.

    Incidentally, doing that and running to the linux community for help is likely to result in a lot of laughter, after which someone might help you.

  44. Anonymous Coward
    Stop

    Yawn

    So some stupid people who hacked their Iphones and didn't change the passwords are having problems. This isn't news, it would only be news if it happened to Iphones that hadn't been meddled with.

  45. Anonymous Coward
    Anonymous Coward

    not much a scare

    I think this highlights the issues of using jailbroken iphones without really knowing what you're doing or being complaicent.

    Most user will not have a jialbroken phone, and those that choose to jailbreak it, should have the technical knowhow to keep it safe, especailly if you install OpenSSH on the thing.

  46. James 47
    Thumb Up

    Is this the first true mobile phone worm?

    The only other one I can think of is Cabir which only installs when the user chooses 'Yes' three times. This one, from what I can see, requires no user interaction to get installed.

    Apple Fail.

  47. PirateSlayer
    Pint

    Trend?

    I am seeing a trend in Apple product user's regard for their fellow (less intellectually endowed) users.

    Apparently, if something goes wrong with an apple product for any reason, the user is a cretin.

    Apple user enables guest account and it overwrites their main account: user is a cretin

    Apple user jailbreaks their phone and does some wizardry: user is a cretin.

    I wonder which Apple product will be affected next. In any case, I know that whatever the problem is, the user will be to blame...and probably a cretin.

  48. ThomH

    @Greg J Preece

    It jailbreaks the iPhone, a device owned and used by both Mac and Windows users, and supported on both platforms. So, ummm, iPhonetards? Oh, and iPodTouchTards, too.

    I wouldn't be surprised if the majority of iPhone owners are also Mac owners, but I would be surprised if the majority of iPod Touch owners are. There's just too many of them about.

  49. phoenix
    Jobs Horns

    Worrying

    The iphone is based around FreeBSD and by default you cannot login as root over ssh on true BSD, you need to login as a user with wheel group memembership and have to su up to full root access. Something must be a bit wrong with the Apple implementation of this daemon

  50. Anonymous Coward
    FAIL

    How does this work exactly?

    I'm thinking it can't possibly work over the 3G connection as no ports are forwarded to the shared IP, or is it shared?

    Then that only leaves WIFI to a trusted network. If you don't have any firewalls set up you deserve to be hacked...

  51. Andy Watt
    Alert

    Serves 'em right...

    This is why I'm actually moving TO osx machines... if you buy apple (BTW I'm a windows "care assistant", as I like to call it, for about 5 machines) then you buy it because it works. People who buy it, then hack and jailbreak it because they feel constrained, should look to Android for their daily dose of multimedia battery-eater.

    I've got an iPhone.

    I bought it in Italy so it doesn't need jailbreaking.

    I don't plan to go anywhere near any warez for the damn thing. I have felt frustrated with it twice (been on Symbian / UIQ for 4 years before this) but that's far outweighed by having a device which works and doesn't piss me off all the time with the UI (and S60 does piss me off as well).

    Like they all said above... don't break the thing unless you know the consequences.

    This is actually a bit of a non-story, isn't it? Or is the Reg permanently sensitive to easy iFlamer stories? ;-)

  52. tardigrade

    @Phoenix

    The iPhone/touch doesn't come with ssh. The option to restrict root logins is 'PermitRootLogin', it lies within the /etc/ssh/ssh_config file. A file that doesn't exist if you don't first jailbreak your phone and then install ssh. If the jailbroken third party ssh server the jailbreaker installs comes with 'PermitRootLogin yes' then there is your problem. Nothing to do with Apples implementation of anything.

    Just some very stupid people who shouldn't have jailbroke there phones if they didn't understand what they were doing or some very stupid people who knew what they were doing but still didn't change there passwords or disable ssh and are therefore complete dunderheads.

  53. Anonymous Coward
    FAIL

    Wow. Hack your phone and make it insecure. So what?

    Serves the crybaby "It's my phone, I'll do what I want" idiots right.

    Yup, you did what you wanted, and proved yourself to be too fucking clueless to do it properly.

    You get what you deserve, whiners.

    *strokes unhacked, uninfected iPhone*

  54. Jonathan White
    FAIL

    Yes, you are..

    @pheonix

    I'd be more worried about your apparent inability to comprehend what's actually going on here.

  55. magnetik
    FAIL

    @James 47, @PirateSlayer

    "The only other one I can think of is Cabir which only installs when the user chooses 'Yes' three times. This one, from what I can see, requires no user interaction to get installed."

    So you don't consider jailbreaking then installing and enabling SSH to be "user interaction"?

    "Apple Fail"

    No, you fail. If people set up VNC on a Windows server with no password would you blame Microsoft for that big gaping security hole?

    @PirateSlayer

    "Apparently, if something goes wrong with an apple product for any reason, the user is a cretin."

    Bollocks, this stuff applies to any OS. An Android user who let remote access through SSH with a default password would be equally a cretin, as would the guy with the open VNC on his Windows server.

  56. phoenix
    Badgers

    @By tardigrade

    Yes I am fully aware of those facts. Only when SSH access is installed from the ports collection on BSD it is fully configuered that way from the off, there is no need to edit that file to halt root access via ssh. One assumes the wonderful iphone no longer understands ports? Or is the SSH service bought down from openssh.org and therein lies the issue a lack of understanding of how to configure it. One assumes it cannot even work as the user cannot have correctly sorted the PPK encryption either?

  57. Anonymous Coward
    Go

    @James 47

    James 47 writes:

    "The only other one I can think of is Cabir which only installs when the user chooses 'Yes' three times. This one, from what I can see, requires no user interaction to get installed.

    Apple Fail."

    No user interaction? What else could you call it when a user violates the T&C, breaks the phone, installs a shell, and then fails to wipe up after himself? Admittedly, the defining characteristics of "wormhood" are preserved, but the FAIL does not accrue to Apple. When you modify a device to that extent, Apple can't be held to blame.

    It's like complaining you've been molested after walking around in a dark alleyway with your bits hanging out.

    Breaktards: 0

    Apple: 1

  58. Anonymous Coward
    Unhappy

    @ Jonathan White

    Enlighten me then as you feel I am completely out of touch. Admittedly I do not have an iphone to check all this on but was trying to illicite a good answer from someone who is fully aware of the issues. Please feel free to reply if you actually know or are you in troll mode?

  59. Dr Richard
    FAIL

    @That makes it an iPhone worm.

    Nope .. it makes it a worm targetting a particular IP address range (in Australia) looking for SSH daemons with a crap root password of "alpine". The fact that it hits jailbroken iphones where individual users have deliberately ...

    a) jailbroken them

    b) manually added the SSH daemon

    c) not set the sshd config to disallow root logins

    d) not set the sshd config to only use keys

    e) not set the sshd config to listen on a non-standard port

    f) not changed the hidden default root password (well known since 2007 in the jail-breaking community

    ... is a coincidence which media outlets pick up on because its an iphone.

    Sorry but a fool and his/her security are soon parted.

  60. Anonymous Coward
    Anonymous Coward

    heh

    When you buy a phone that's designed to do pretty much everything except make a decent phone call you've got what's coming to you when you wake up to find yourself owned.

    People expect these things to handle all their most sensitive data, then they think "meh well it's a phone so no one could ever hack it" even having just hacked it themselves.

  61. David Pickering
    Thumb Down

    wouldnt suprise me

    if this 'ikee' chap works at (cr)apple

  62. McFlorrin
    WTF?

    What???

    How is this an Apple issue??? Apple do not ship the iPhone with SSH installed, let alone configured. Nor do they allow you to install it on the phone. To use SSH you'd have to JailBreak the phone, thus circumventing the security built into the system by Apple. They do not endorse the practice of JailBreaking, infact they actively seek to close the security holes within the system that allow JailBreaking.

  63. Anonymous Coward
    FAIL

    @Peter 39

    The story title is exactly correct. It is extremely rare for an operating system to be pwned directly. Most exploits of windows (and macs and linux) tend to come through user space initially - just like this one. Ever seen a linux server be rooted through an unpatched php installation? This only affects iPhones (albeit only a subset of the full universe of iPhones) it is therefore an iPhone worm. In just the same way as a php exploit on linux is still a linux exploit.

    Hopefully in the none too distant future Mactards will realise that they are not immune from viruses/worms and trojans just because of their Jobsian religious beliefs. Macs are always pwned first in the pwn to own tournaments for a reasons - and it isn't because their security is great.

  64. Jonathan White

    @pheonix/AC

    OK, the clue is in this sentence, which you wrote

    "Something must be a bit wrong with the Apple implementation of this daemon."

    You appear to know about BSD (which is a very laudable skill IMO) however you also appear to have failed spot the major point of the story, which is that this security breach is sod all to do with Apple and in fact they've specifically designed the iPhone to stop this kind of breach happening and you have to circumvent their security architecture yourself before you can be vulnerable to it.

    And if you'll forgive me, it's a bit rich of someone using the 'devil Jobs' icon under these circumstances to call anyone else a troll.

    Jon

  65. phoenix
    Unhappy

    @By Jonathan White

    I humbly apologise. That is the bane of e-mail and other text based communication that wording can confer the wrong intention. I misread your comment of 13:14 as harsh off handing remark it obviuosly wasn't meant to be as you have come back to me. I guess it is Monday and my brain isn't working too well getting jailbreak mixed up with BSD jails and that got me to start all this mess in the first place. I merely mention Apple in the fact that they have done some much work in darwin modifying the orginal BSD code. I think I will go and lie down now as my head hurts. Au revoir

  66. Henry Wertz 1 Gold badge

    It *IS* a worm.

    "Seriously though, why the hell do consumer devices have to have default root/admin/super-user passwords? If they never need to be changed you simply ask the user to setup a one time super-user/top-dog password which they need to write down somewhere safe and never reveal to anyone! Then they set up their own password, job done!"

    This really doesn't make sense, in stock form the root password is NEVER used by the end user so asking to set it would not be sensible. There's no local OR remote login shell, and no use for the password. (I do bet the OS upgrade uses the password though.) In jailbreak form, I'm sure step 1 (or at least a low number) is *set your root password*. Once you have a shell or ssh, it should be immediatley set to something non-stock. It could make sense to ask the user to reset the password in the jailbreak software, but really if there's an instruction to do it seperately that should cover it, not doing it is human error of not following the directions.

    "... who think it is an iPhone worm and are busy mocking others, consider this. I've taken a Linux build, heavily modified it, left an SSH daemon running on default ports with a well known password and suddenly find myself owned. Do I have a leg to stand on by running (or hopping) to the Linux community or the media shouting "I've found a Linux exploit!!"?"

    A) No you odn't have a leg to stand on, but you were still hit by a Linux worm.

    B) The only reason I say "no" to "Do I have a leg to stand on" is because it was brought to the attention of the Linux community several years back when it WAS a new thing to have these worms rotating through a dictionary of weak passwords. Otherwise, yes, you would have had a leg to stand on shouting you'd found a new exploit in the wild.

    People are only mocking stupid fanbois who claim a worm is not a worm just because it's on the precious IPhone. It doesn't hit a IPhone in stock configuration, but nevertheless it IS an IPhone worm. And although ssh-spreading worms aren't new, it IS new to have one spreading on this particular platform.

  67. Dr Richard

    @McFlorrin

    Well, from what I have read, the root password of "alpine" is as set by Apple in the iphone firmware .. which if true, is far too easy to crack and should have been set to something long and obscure as it should not really ever be used.

  68. jai

    not fanbois

    technically, the ones being rickrolled aren't proper apple fanbois - the True Believers of course haven't jailbroken their iphones

    it's just the freetards who jailbroke their phones - and most of those are probably penguin-fiddlers

  69. Jess
    Happy

    It would be funnier..

    .... if it also set the ring tones to Rick.

  70. phoenix
    Unhappy

    By Jonathan White

    "And if you'll forgive me, it's a bit rich of someone using the 'devil Jobs' icon under these circumstances to call anyone else a troll."

    Excuse me I didn't. I used an unhappy face and didn't mean to post as AC. Jobs was used for the post of 11:59 which you picked up on and I stand by that icon - not much of an Apple fan , sorry. See earlier post as apology.

  71. Charles Manning

    @Dr Richard

    The "alpine" password is there to be used by apple developers and has been known in the wild for years. A simple password is fine, and a good thing, for on the bench development.

    It really doesn't matter what the password is because:

    1) If ssh is disabled it doesn't matter.

    2) Whatever you make it it is going to get into the wild sometime.

    3) If there wasn't a simple password then the jailbreaking would set one up.

    What this highlights is a defect in the jailbreaking process. The jailbreaking process should include a step to change ssh password.

  72. Daniel B.
    Troll

    My God, it's full of trolls...

    Leave it to Macbois to say that a self-replicating program isn't a worm.

    The trolls abound these waters...

  73. Norfolk Enchants Paris

    And a recent poll

    Run by a well-respected* survey company showed that 82% of iPhone users prefer Rick Astley.

    *I made it up.

  74. gollux
    WTF?

    Thanks for the explanation...

    @ Peter 39

    Now I know why my Blackberry has Rick Astly grinning at me...

  75. Stevie

    Hah!

    Irony upon irony. First, that by installing SSH (and forgetting that other important step) the phones became LESS secure, and second that this demonstrates the truism that hacking attacks target the most popular hardware of a given type in order to gain the widest audience.

    I know that last is a "well duh" point, but the non-winduz community has been denying the corollary (that minority platforms aren't worth the bother) for years now.

    It's still more annoying than amusing though.

    Too much free time on someone's hands, as me dad used to say.

  76. theloon
    Megaphone

    Totally a user problem. Doh!

    Yep I jailbreak and unlock mine... But leave the ssh passwd at default...ummm no...

    RTFM people.

  77. magnetik
    FAIL

    @Stevie

    "First, that by installing SSH (and forgetting that other important step) the phones became LESS secure"

    Irony? Where's the irony? Is an OpenBSD box with SSH open more or less likely to be broken into than one without SSH running. Surely you don't think anyone with half a brain would suggest that by *opening* a service it would make a machine more secure?

    "his demonstrates the truism that hacking attacks target the most popular hardware of a given type in order to gain the widest audience"

    Er, what? iPhones represent only a small percentage of the smart phone market and this worm only attacks jailbroken iPhones which represent only a fraction of that number. If anything this demonstrates that market share != malware and that "hacking" (or more accurately, cracking) attacks prefer *easy* targets.

    "the non-winduz community has been denying the corollary (that minority platforms aren't worth the bother) for years now"

    And they're quite right in doing so. There was a virus in the wild for Linux iPods which number only a few thousand worldwide. So why did someone bother with such a minority platform?

  78. Big-nosed Pengie
    Linux

    Jezuz, people!

    I have no love for the JesusPhone, and dramatically less for Apple, which I consider to be, if not the Devil incarnate, then at least a large collection of his demons.

    But if I drop my pants in the middle of Main Street, bend over, and hold up a sign saying "take me - I'm yours" then I can't really complain too loudly when I get reamed, can I?

    This is not directly Apple's fault. Of course if they made a decent fucking product that didn't tell users what they could and couldn't do with it, there would be no problem. But that's not the way that Apple works.

    And yet fucktards continue to buy their crap knowing full well that it should come with a 200 litre drum of KY Jelly to ease the pain, and then try to make it do something it's not supposed to do. It's like buying a 1980 Vauxhall Viva, putting a V8 in it and expecting it to go like a Ferrari.

    Roll on open source phones.

  79. Jared Earle
    Pirate

    Vitriol

    Unfortunately, because this is about the iPhone, it's impossible to print the facts or any form of unbiased analysis without being called a "Fanboi".

    This isn't an iPhone weakness as much as it is a jailbreak sploit. The people who will not be affected are those smart enough not to jailbreak their phones and those smart enough to jailbreak them properly. An off-the-shelf iPhone is completely 100% immune to this worm; it's as if you have to go out of your way to make yourself vulnerable.

  80. Robbie 1
    Stop

    Ipwned?

    Actually quite intresting since it contained replicating / sending code. I wonder what payload one could use on a Iphone. A roaming army of DDoSing Iphones? hmmm.. I'm giving myself ideas.

    Anyways even if it did only exploit the root:alpine setting in SSHd ( wich is NOT installed by or during the jailbreaking process ) Its still a forcast of the future where gear it getting more complex and " plugged in " and subsequently more vulnerable to attack.

This topic is closed for new posts.

Other stories you might like