Slashdot Mirror
First iPhone Worm Discovered, Rickrolls Jailbroken Phones
Unexpof writes "Users of jailbroken iPhones in Australia are reporting that their wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley. This is the first time a worm has been reported in the wild for the Apple iPhone. According to a report by Sophos, the worm, which exploits users who have installed SSH and not changed the default password, hunts for other vulnerable iPhones and infects them. Users are advised to properly secure their jailbroken iPhones with a non-default password, and Sophos says the worm is not harmless, despite its graffiti-like payload: 'Accessing someone else's computing device and changing their data without permission is an offense in many countries — and just as with graffiti there is a cost involved in cleaning-up affected iPhones. ... Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.'"
FFS, why is there even a default password on sshd for the jailbroken phones? It should default to being disabled and then require you enter your own password when it's enabled.
Hail Eris, full of mischief...
E pluribus sanguinem
Because at least Apple fans are no strangers to love. Microsoft just knows the game and they're gonna play it.
So this worm is aimed at people are are smart enough to jailbreak an iPhone, but stupid enough not to change a default password. Sounds like a narrow band detection device.
Place nail here >+
Yeah, it's the same kind of thing as Windows... Like if a user installed a remote management protocol, then left the default password on it, and then wondered why they got hacked so easily...
Not to mention this is NOT apple's software, or anything that apple sanctioned on their phone. It is from hacked phones. Sadly, this will do nothing but make Apple more sure that they should not open up the iPhone platform more.
I have a jailbroken iphone. But othet then the Cydia and ICY applicaions icons which are installed during the redsnow jailbrake I have not deliberately installed any other non-itunes apps. Do I have ssh running but not know it after I jail break?
If so how to I log into it and change the password?
Some drink at the fountain of knowledge. Others just gargle.
and the iPhone getting rickroll'd
http://www.youtube.com/watch?v=3KANI2dpXLw&feature=player_embedded#
I thought SSH was created to add more safety. ;-)
New things are always on the horizon
Ars technica reported a similar case in the Netherlands about a week ago. A teenage "hacker" replaced the wallpaper with one showing an alert that told the user to give him 5 euros for instructions to remove the "virus". Full article
It may be 7 digits, but at least it's a semiprime
Oh right. Probably someone saw that story too and decided to have a little fun with the same gaping security hole too.
the attempts Apple makes to maintain control of devices they have sold are not dissimilar to the fanaticism shown by some of the more unbalanced elements of the user-base. Beyond the pale.
If their selling strategy for the iPhone was more in line with their competitors, and it could be bought unlocked / without lockdowns on application installation, off-the-shelf as most rivals can, we probably wouldnt need the jailbreaking scene and nor would the virus be spreading this way.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
To an IPhone near you: Measles and Angry Measles!
Pacifist paratroopers yell, "Ghandi!" when they jump.
My poorly written code made slashdot! I mean there's nothing here move along..
Where do you get the iPhone has a large market share? The latest numbers from IDC suggest Apple has about 17% market share in the smartphone market. In the entire phone market, they're probably not even in the double digits.
Pretty good is actually pretty bad.
I don't think this is too surprising, except that it hadn't happened sooner. Large similar populations make for easy targets for viruses. This seems to be a universal. For example, you can see the same principle as mono/multi-culture in agriculture. Compare, say, the diseases apples get with the ones pawpaws get. Apple has always been the minority but here, Apple is the apple. Welcome to having a large marketshare.
This was a problem with the jailbroken sshd config. The people effected by this should not be written off as stupid though! Cellular phone + RTFM or it will get broke into = _serious_ usability flaw. Yes, even something as simple as changing a default password to a remote service on a 24/7 public network connected device. Really, this shows how irresponsible the sshd for iphone package authors were, and why Apple locks things down in the iphone as much as they do. Good job! Now more people will be afraid to jailbreak, and Apple may have to spend more time making sure it can't happen. Way to spoil it for the rest of us.
Holy Mother of Cheswick.
What was it, username "FIELD" password "SERVICE"?
There is also the "mobile" account username, which uses the same default password. It seems like this could also be vulnerable.
Quick spam, But it's a lot more informative http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html I asked as many questions as I could come up with, and he answerred them all :)
Source code is listed on that link as well
Just adding some background info to this drama, OzJD was in cahoots with ikee before this was released and they are both making the most of their 15 minutes of fame
don't click the link. i was fooled. the posting and comments above are sophisticated hacks to get you to click the link and be rickrolled. the tactic recently attempted here: http://bit.ly/3Xdrd
I wish I were old enough to put "Computer" on my resume.
Just adding some background info to this drama, OzJD was in cahoots with ikee before this was released and they are both making the most of their 15 minutes of fame
lol and you my friend "anonymous Coward" are a penis face
I am reminded of those "I'm a Mac, and I'm a PC" commercials. So, Mac's "little brother" I guess is susceptible to the same plagues PCs are.
Dude . . . it has nothing to do with Mac security. They've installed a third party application on their iPhone -- a service, no less. It's like giving out your house key to everyone, then complaining about how ineffective your house locks are. There are a couple of security practices being ignored by the end user here -- and these are users that, knowing how to jailbreak an iPhone, should know better.
1. Never leave a default password.
2. Never install a service if you don't need it. (Okay, maybe some DO need it, but I doubt all of them.)
The same applies to Windows. Windows is riddled with security problems, hence 75% of windows viruses still work, whereas less than .001% of mac viruses still work (if even that). But even so, many "security problems" in Windows are not the fault of Windows, but of the user running it. It doesn't matter how perfect your burglar alarm is if you don't turn it on.
On a lighter note:
Dark Helmet: "Give us the combination to the air shield!"
King Roland: "All right! All right. It's 1-2-3-4-5."
Dark Helmet: "That's the stupidest combination I've ever heard in my life! That's the kind of combination an idiot would have on his luggage."
[enter president Skroob]
President Skroob: "Did you get the combination to the air shield?"
Dark Helmet: "Yes! It's 1-2-3-4-5."
President Skroob: "That's amazing! I have the same combination on my luggage!"
Mel Brooks FTW.
They're also lovers.
The vulnerability does not happen on any iPhone coming directly from Apple. It's only devices that are jailbroken, then only devices that have sshd installed, and then only devices where those users left the default password in place because, hey - who is going to scan for an iPhone in a coffee shop?
I agree generally with your point about a monoculture, but this is not it. It's a stupid default on a security tool shipped by a third party, that a smaller percentage of users will have (though the last I head the jailbroken iPhone population was north of a million so it's still significant).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html
Thanks, a great read OzJD... Hopefully the people making the jailbreaks will fix it up ASAP!
It's worth noting that the kind of person who compiles these statistics doesn't use quite the same terminology as everyone else. Smartphone only covers the top end of what most people would think of as a smartphone. The (much larger) rest of this market is comprised of things called 'feature phones,' which includes thing that were smartphones a couple of years ago. It's not just a simple split between dumb phones that make class and send SMS and smartphones which do other stuff too; they split the market into four or five largely arbitrary segments, of which smartphones is the smallest (although growing quickly).
I am TheRaven on Soylent News
Sadly, this will do nothing but make Apple more sure that they should not open up the iPhone platform more.
...which is complete BS! Whether Apple opens up the platform or not will not depend on an issue like this. It will depend on their vision on how to make money and keep it selling. If they allow an ssh-server in the future, knowing this, they will force the user to change the password to something else.
OzJD, you're so dreamy...:) I wish i could take you home with me
"Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm."
Yay spread the word slashdot!
I wish you were here so I could take a dump on your head.
LOL
If you are too stupid to change the default password on the SSH server running on your iPhone, you shouldn't have a jailbroken iPhone. You should leave the damn software alone so that Big Daddy Jobs can take care of security for you. Come back and see us jailbreakers when you get to wear your big boy panties.
A little misunderstanding? Galileo and the Pope had a little misunderstanding...
Since we all know only douchebags spend way too much on a locked down, overly-proprietary piece of crap iPhone to show off to their friends so they think they're cool, I'd like to see a worm that makes it randomly play over the speaker, "Warning! Incoming douchebag! Douchebag over here, watch out!"
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
He he. How things are speeding up! Imagine this title, I dont know, 10-15 years ago. iPhone worm?? Rickroll??? Jailbroken Phone?
My phone is Jailbroken but Cydia wasn't on it. I fired up Putty and nope, connection rejected. Tried to install SSH with Rock, it failed claiming that it didn't have Superuser privs. I fired up blacKra1n and installed Cydia. During the install Cydia appeared to install SSH but still no connection. I went in and reinstalled SSH, now I got a connection with the default password. But wait, at the bottom of the SSH install screen where it tells you how to use it they TELL YOU TO CHANGE THE PASSWORD! they also provide you a link to an article detailing HOW TO DO THAT. At this point I already had an SSH connection so I issued a passwd and changed it. TaDa, that hard to do - sheesh! I also installed an interesting little tool called Toggle SSH, gee guess what that does very well? Yup, blocks SSH connections at the press of a button - like a toggle ;-)
So, I had to jump through hoops to install the damned thing, then I received CLEAR instructions on how to change the default password, AND there's a simple to use FREE program out there that disables it. Obviously it might get installed as part of other things depending upon how you jailbroke but come on, they could not have made this too much easier to fix! If people are getting spanked by this well, perhaps they should have been a little more cognizant when they jailbroke? It's not hard to fix via any computer with SSH on it and you can even load a terminal program local to the phone to fix it....
Build it, Drive it, Improve it! Hybridz.org
Yes, but what makes you think jailbreaking apps writers are interested in usability? It seems to me that if you are taking a device and making it perform outside its manufacturer-specified parameters, you are taking that responsibility upon yourself. If you are using your own tools or something provided by a third party is irrelevant.
How is this worse (responsibility-wise) than having a phone bricked because of a botched jailbreaking attempt?
I'm not writing off the users as stupid, but they are certainly not blameless.
No sig
The SBSsetting utility has a "ssh toggle" that re-enables SSH at every reboot. As I recall, the developer claims that this is because you might need SSH access if your phone fails to boot properly. Of course, it also means that many users that believe they have "toggled off" SSH end up with sshd running again as soon as they reboot.
Another lame "feature" of SBSettings is that it tries to remove your /etc/hosts if you are blocking spyware/malware/adware. As far as I can tell, this allows the developer to make money by having SBSsettings pull data from companies that offer him money for access to your phone.
The whole jailbreak scene seems to be focused on making money by partnering with questionable adware/malware/spyware companies, rather than embracing open source ideals.
... you were running Linux^H^H^H^H^H Android
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
When I was working in the industry, the definitions used was pretty straightforward:
A smartphone is a phone that can run 3rd party applications.
A feature phone can't run 3rd party applications. But it does have built in applications significantly beyond the basic phone, contacts and SMS features.
That's not quite as arbitrary as it may at first sound. Being able to run 3rd party applications implies an OS with general purpose APIs. And that justification gives rise to another small category of phones. Closed smartphones. They are phones with OSs which are designed for smartphones, but which have had the facility to install applications blocked.
> wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley
I would say that this is a textbook contravention of Article 5 of the Universal Declaration of Human Rights :-)
is alpine.
music lover since 1969
All I have to say is they deserve what they get! They should be happy it's just a wallpaper change - the worm could've been programmed to do much worse. Jailbreakers are all thieves!
Would you like a Tin Foil Hat with that?
I read about another worm from some guy who I believe was in Holland. It told you your phone was insecure and extorted you for money to fix it.
Don't call it "jailbreaking"....
That implies that you're doing something immoral/unethical (breaking someone out of jail).
Call it for what it really is... removing DRM (taking back the ownership of a device you own).
And also on a similar subject, get rid of the word "homebrew".... makes it sound like it's substandard or promoting the corporate agenda.
Call it "arbitrary code execution". (ACE)
Sure it doesn't have the same ring but it's a helluva lot more honest and defeats corporate propoganda.
Science : Proprietary , Knowledge : Open Source
So this worm is aimed at people are are smart enough to jailbreak an iPhone, but stupid enough not to change a default password. Sounds like a narrow band detection device.
Unfortunately, TFA claims that 26/27 people fail to RTFM and change the default password...at least in the area of the worm's author.
After years of not using a signature, I am going to make one to say the following: Fuck Beta
Virus is replacing a static image, not a video.
Image should be replaced with a duckroll.
No proper villains these days.
Crap. What did the new CSS do with the "Post anonymously" option??
Apple are directly responsible for the security theater around the iphone, suing people discussing it, suing websites, bricking peoples phones remotely and being general dicks. Attempts by Apple to try and suppress, threaten, intimidate or impede free and open discussion and collaboration using the iphone as an open extensible platform inevitably will result lower quality software as developers are forced underground for their own safety. Which is a pretty sad mafiaesque bit of douchebaggery on Apples behalf.
there's no firewall on the iphone?
glad I own a pre!
good default iptables ruleset ftw!
Oh my, I seem to have upset an Apple fanboy with mod points.
"Security theater" ? Oh, please. It's Apple's product and if you don't like their terms you can choose not to buy it.
Why don't you leave the discussion to the grown-ups... you're way out of your league.
he'd better get an IT-savvy lawyer ASAP and keep his mouth shut until then IMHO.
CRIMINAL CODE ACT 1995 (Cth)
478.1 Unauthorised access to, or modification of, restricted data
(1) A person is guilty of an offence if:
(a) the person causes any unauthorised access to, or modification of, restricted data; and
(b) the person intends to cause the access or modification; and
(c) the person knows that the access or modification is unauthorised; and
(d) one or more of the following applies:
(i) the restricted data is held in a Commonwealth computer;
(ii) the restricted data is held on behalf of the Commonwealth;
(iii) the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty: 2 years imprisonment.
(2) Absolute liability applies to paragraph (1)(d).
(3) In this section:
restricted data means data:
(a) held in a computer; and
(b) to which access is restricted by an access control system associated with a function of the computer.
http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/previewlodgmentattachments/AD40CB005B74CBECCA2576040024B618/$file/CriminalCode1995_WD02.htm#param884
or
http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html
Wow. You're either stupid, or trolling.
I'll go with trolling. No one is that stupid.
We identified this issue a while ago... Interesting to see that it has now been exploited...
http://e-sentinel.com/October-Newsletter-iPhone-Security-pg10990.html
Wow.
I think we can no longer use pure "Market Share" as an excuse for the current dearth of malware on Linux platforms. This exploit targets only those who are savvy enough to be able to install sshd on their iphone, yet are too ignorant to know or care that there is a default password that should be changed. That's gotta be a really limited target group, IMHO.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
Here in Canada, carriers refuse to unlock even phones paid in full. Not only does it limit the freedom of consumers but since all carriers are in on it, it smacks of collusion.
Now that there are multiple GSM carriers in Canada (Bell, Telus, Rogers/Fido), I encourage all of my fellow Canadians to write to the CRTC mailto:info@ccts-cprst.ca and their local Member of Parliament to force the carriers to provide an unlock either for free or for a reasonable fee to any customer who has either:
a) purchased an iPhone at full price
b) completed their contract term for the iPhone 3G or
c) paid the ETF after being a customer for more than 6 months
If Fido and Rogers had competent management, they would take the opportunity to offer unlocked phones as a competitive advantage over Bell and Telus as well as use it as an opportunity to earn some extra money in unlocking fees. It would also potentially increase their customer retention rates as customers would no longer feel like they were imprisoned by their carrier when they travelled abroad or went to Mexico/US for winter as "snow birds".
Jesus was a compassionate social conservative who called individuals to sin no more.
I get the impression it doesn't. Just connects SSH, and sends some commands to change your desktop.
No self propagation = not really a worm.
(quickly ducks)
RS
Shoes for Industry. Shoes for the Dead.
Written by Apple??
You shouldn't be condescending while wearing boy panties.
Go to Cydia, manage tab, packages, and see if OpenSSH is on the list of installed packages.
If it is, download and install a package from Cydia called MobileTerminal.
Start MobileTerminal, type in "su", then type in the default password "alpine", then type in "passwd", and set a new password (don't use " quote marks " in any of these commands)
Typing "su" "alpine" and "passwd" can get you in a load of trouble. The passwd binary on the iphone, at least last time I tried it, was not working properly.
See
http://blog.matsimitsu.nl/english/183/howto-fix-the-edit-home-screen-loop-for-iphone
It is Apple's default password, which is alpine. Also, largest threat to Apple ecosystem's security comes from Apple apologizers and conspiracy theorists popping up from nowhere every single time some story mentioning OS X security pops up.
Apple forces people to jailbreak their phones, some noobs are technically incapable to maintain a full feature UNIX server also becomes victim. Nokia/Blackberry/Windows Mobile users doesn't feel the need to hack their system security so there is no Rick wallpaper on their screens.
I believe if you are a developer with SDK, you can do anything on your _own_ device but you can't distribute the application (it won't install) to Symbian scene without review (way different focus than app store) process by a Symbian signing consultant.
If you are a technical user, you can download free/open source/independent apps and sign them to your device IMEI (unique hw ID) to have features like "add to startup". It is more like OS X "super user" (Administrator) permissions, still not root.
For complete, God like permissions, you need a very special license and it is not trivial to get it. I got only a single of that kind, an over the air backup application distributed by my own cell provider and stores data on their servers.
It is hassle and complicated but, Nokia had to learn their lesson from Cabir worm which costed them millions in terms of image/service. So they had to come up with "less evil" solution, best of both Worlds... It still won't change minds of Apple apologizers though, they will still use Symbian Signed which is a security/privacy/battery life guard for App Store arguments.
Users are illiterate, for the most part. Their computer already talks too much to them and most of the time has nothing interesting to say, so they reckon it's safe to ignore it all the time.
That being said, *which* default password are we talking about? Which authentication method is ssh using on an iPhone? Arstechnica for a similar incident suggests that it's Apple who is setting default passwords, not the distributors of the jailbreaking software. Is this accurate?
Is it possible that someone could create an application that starts from a jailbroken phone and breaks open all the phones that it is capable of reaching, and then repeat? Could this be done quietly to prepare the next round of the virus, when it then does something more sinister, like change your ringtone to the actual song "Never gonna give you up". :)
After reading the news article that thrice-blasted song is back.
Well, you are talking about customers who managed to a) jailbreak their iphone, and b) install openssh on it in the first place. I really don't see it as that big a stretch to expect such people to have a basic clue about security (ie. default password bad)
Is the only people this will affect are the people who bitch about the iPhone being "locked", so they jailbroke their phone. The same vast, intelligent minds who know better than Apple managed to install an app and leave the default password in place. Why shouldn't we listen to great minds like this when they tell Apple what to do with their platform?
Not likely. Of course it only effects jailbroken iphones, you can't put openssh on a non-jailbroken phone. to see a conspiracy there is pure stupidity, or outright trolling. It looks like a mod gave you the benefit of the doubt.
I don't see how this invalidates my point. You're saying that it's impossible to put the virus on a non-jailbroken phone ... which is exactly what Apple would want if they designed the virus themselves.
This infects the idiots that jailbreak their iPhones so they can say "LOL I'm soo 1337, I h4x0r3d my iPhone and it works fiNEVER GONNA GIVE YOU UP NEVER GONNA LET YOU DOWN..."
The kiddies need to get a clue.
Two things to clarify:
1. Exploiting the security hole with a Rick Roll is precisely the nice way the nice hacker used to tell you to lock your back door and avoid a real threat.
2. Sophos did not claim the worm not to be harmless. It says that the exploit is not harmless. From TFA:
Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.
http://dilbert.com/2010-12-13
A true iPhone hacker will write a worm that will infect a 'vanilla' gold master iPhone running OSX as released by the vendor. If this genious is a smart as he claims; here is my challenge to him: 1. Have the same exploit code running in the worm, perform the same actions on a 'vanilla' iPhone. Modify your genious code, to, 1. Download / Run / Execute / Install all the tools it would like after a user clicks a link from a browser. **** My guess is that was too hard, so this idiot decided to use a jailbroken iPhone one which would allow him to install all the tools he needs without writing any exploit code to do that.
You have to completely disable all of your iPhone's security features using 3rd party software to get this to run. This reminds me of the "iPod malware" that only worked on iPods that were running Linux.
Agreed - and it's debatable whether the Iphone is a smartphone anyway. It can't multitask, it doesn't have a keyboard, and doesn't use a standard off-the-shelf OS, which are the only ways one can plausibly separate smartphones from feature phones. Things like Internet access or running apps are bog-standard for "feature phones".
The only definition it satisfies is being in the high end cost segment. So the Iphone doing better in that market is like that news we had a while ago that Apple were the best selling PC manufacturer in computers costing over $1,000. All that tells us is that Apple are expensive!
Indeed - IIRC, in the phone market they're about 1%. God knows why they get so much attention, whilst market leaders like Nokia and Samsung are ignored.
The Iphone isn't a smartphone, so they don't exist in that market.
The Iphone isn't a smartphone, so they don't exist in that market.
Well, since there is no clear definition of what a smartphone actually is, that's kind of hard to say. But I think generally a phone is considered a smartphone when it can be connected with the internet and 3rd party applications can be installed.
I don't know what definition of a smartphone you are using, but I can't think of anything that would exclude the iPhone to be honest.
Pretty good is actually pretty bad.
The people effected by this should not be written off as stupid though! Cellular phone + RTFM or it will get broke into = _serious_ usability flaw.
Yes, but what makes you think jailbreaking apps writers are interested in usability?
I used an exclamation point, but it seems you have missed it. Maybe this helps. The intent of the SSHD authors is not in question.
They might be confused by the recent report that Apple is the MOST PROFITABLE cell phone manufacturer (I think in the last year). They make more money from their phones while selling fewer actual phones. A higher profit margin is a good business model if you can still actually sell the product, which they have no trouble doing.
I tried ssh after a clean install on my iPhone after changing the password. SSH did NOT require a password when I tried to log in remotely to root@IPHONEIP. Default install with new passwords set.
mobile@IPHONEIP asks for a password but not root@IPHONEIP. Can someone verify and write back.
DRM? No thanks, I'll just get it somewhere else...