First iPhone Worm Discovered, Rickrolls Jailbroken Phones

← Back to Stories (view on slashdot.org)

First iPhone Worm Discovered, Rickrolls Jailbroken Phones

Posted by Soulskill on Sunday November 8, 2009 @03:08AM from the maximum-threat dept.

Unexpof writes "Users of jailbroken iPhones in Australia are reporting that their wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley. This is the first time a worm has been reported in the wild for the Apple iPhone. According to a report by Sophos, the worm, which exploits users who have installed SSH and not changed the default password, hunts for other vulnerable iPhones and infects them. Users are advised to properly secure their jailbroken iPhones with a non-default password, and Sophos says the worm is not harmless, despite its graffiti-like payload: 'Accessing someone else's computing device and changing their data without permission is an offense in many countries — and just as with graffiti there is a cost involved in cleaning-up affected iPhones. ... Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.'"

48 of 215 comments (clear)

Summary: it affects ignorant fools by Nimey · 2009-11-08 03:11 · Score: 4, Insightful

FFS, why is there even a default password on sshd for the jailbroken phones? It should default to being disabled and then require you enter your own password when it's enabled.

--
Hail Eris, full of mischief...

E pluribus sanguinem
1. Re:Summary: it affects ignorant fools by stillpixel · 2009-11-08 03:16 · Score: 4, Funny
  
  In the mean time Apple has cut a very handsome check for ikee's services in proving jailbroken phones to be bad bad bad : )
2. Re:Summary: it affects ignorant fools by 99BottlesOfBeerInMyF · 2009-11-08 03:24 · Score: 3, Insightful
  
  ...why is there even a default password on sshd for the jailbroken phones?
  Probably because the people writing an SSH client for a hacked version of a cell phone have little or no incentive to spend time working on details like requiring the user to input a password when the client is installed. Look if you're going to jailbreak your cellphone and start adding network services like SSH, with very limited user types, you should probably have a clue what you're doing in the first place. I put this right up there with people running Apache on their home Windows XP machine and getting compromised when they don't update it regularly.
3. Re:Summary: it affects ignorant fools by tgd · 2009-11-08 04:38 · Score: 2, Interesting
  
  SSHD isn't on jailbroken phones.
  The jailbreak installs very little by default. Only users who installed SSHD deliberately, leave it running all the time, and didn't change the password are impacted.
  Lots of hype, not as big of a deal as it seems. (And, frankly, wouldn't be a big deal if Apple would open up enough of their APIs for the typical apps most people seem to use when they are Jailbroken could work...)
4. Re:Summary: it affects ignorant fools by ceoyoyo · 2009-11-08 04:48 · Score: 2, Informative
  
  The root "account" on an iPhone is the same for all phones but is normally disabled. At least at some points in time, a jailbreak consisted of enabling SSH and that root account. SSHing into your phone using that account was the only way you could to anything else - it WAS the break.
  Admittedly now, with more user friendly jailbreaks, SSH could ask you to change the password when you install it.
5. Re:Summary: it affects ignorant fools by Like2Byte · 2009-11-08 05:40 · Score: 3, Funny
  
  Egad!! Don't you "Get-off-my-lawn"-types get it?
  NOTHING IS WORSE THAN GETTING RICKROLL'D!!
Narrow Band detector by MasterOfGoingFaster · 2009-11-08 03:19 · Score: 5, Insightful

So this worm is aimed at people are are smart enough to jailbreak an iPhone, but stupid enough not to change a default password. Sounds like a narrow band detection device.

--
Place nail here >+
1. Re:Narrow Band detector by Anonymous Coward · 2009-11-08 03:32 · Score: 5, Informative
  
  also this article fails to mention that the worm disables ssh after infecting the device.. therefore kinda cleaning up the problem ..
2. Re:Narrow Band detector by ceoyoyo · 2009-11-08 04:52 · Score: 2, Informative
  
  Not exactly. Jailbreaking an iPhone these days isn't what it used to be.
  It doesn't even require the command line anymore.
Re:So... by bjackson1 · 2009-11-08 03:19 · Score: 4, Insightful

Yeah, it's the same kind of thing as Windows... Like if a user installed a remote management protocol, then left the default password on it, and then wondered why they got hacked so easily...
Not to mention this is NOT apple's software, or anything that apple sanctioned on their phone. It is from hacked phones. Sadly, this will do nothing but make Apple more sure that they should not open up the iPhone platform more.
Something Ironic about the lyrics by masmullin · 2009-11-08 03:22 · Score: 5, Funny

and the iPhone getting rickroll'd

http://www.youtube.com/watch?v=3KANI2dpXLw&feature=player_embedded#
SSH by Lennie · 2009-11-08 03:22 · Score: 2, Funny

I thought SSH was created to add more safety. ;-)

--
New things are always on the horizon
1. Re:SSH by dingen · 2009-11-08 03:29 · Score: 3, Insightful
  
  Encryption isn't very useful if everyone uses the same key.
  
  --
  Pretty good is actually pretty bad.
Similar case by Stratoukos · 2009-11-08 03:22 · Score: 5, Informative

Ars technica reported a similar case in the Netherlands about a week ago. A teenage "hacker" replaced the wallpaper with one showing an alert that told the user to give him 5 euros for instructions to remove the "virus". Full article

--
It may be 7 digits, but at least it's a semiprime
1. Re:Similar case by dingen · 2009-11-08 03:34 · Score: 3, Funny
  
  As a response to this, T-Mobile is now in the progress of installing firewall software so phones on their network can't communicate with each other, making similiar hacks in the future a lot more difficult.
  
  --
  Pretty good is actually pretty bad.
2. Re:Similar case by ColdWetDog · 2009-11-08 04:37 · Score: 2, Funny
  
  Wow. Just, wow.
  
  Are you fucking kidding me?
  And for you, sir, version 2 -
  
  It looks for any flashlight app on your system and then when you try to run it, the phone plays "You light up my life".
  
  Download it now. Be the first on your block.
  
  --
  Faster! Faster! Faster would be better!
This story seems familiar by Virak · 2009-11-08 03:24 · Score: 2, Informative

Oh right. Probably someone saw that story too and decided to have a little fun with the same gaping security hole too.
arguably Apple share the blame by CdBee · 2009-11-08 03:24 · Score: 2, Insightful

the attempts Apple makes to maintain control of devices they have sold are not dissimilar to the fanaticism shown by some of the more unbalanced elements of the user-base. Beyond the pale.

If their selling strategy for the iPhone was more in line with their competitors, and it could be bought unlocked / without lockdowns on application installation, off-the-shelf as most rivals can, we probably wouldnt need the jailbreaking scene and nor would the virus be spreading this way.

--
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
1. Re:arguably Apple share the blame by dingen · 2009-11-08 03:33 · Score: 5, Interesting
  
  The problem is not in the jailbreaking or unlocking of the phone. The problem is people installing OpenSSH but not changing the password (which it does ask you to) and thus allowing SSH-connections to their phone by everyone.
  
  --
  Pretty good is actually pretty bad.
2. Re:arguably Apple share the blame by bhtooefr · 2009-11-08 03:33 · Score: 4, Informative
  
  The only rivals that are completely unlocked are Palm OS (which is a joke,) Windows Mobile, and Maemo.
  Android and WebOS do at least allow you to install unsigned apps, but you don't get root access without a jailbreak, and BlackBerry and Symbian both require signed apps and don't even give root to most signed apps. Useful for things like tethering (although not required.)
3. Re:arguably Apple share the blame by Ma8thew · 2009-11-08 03:50 · Score: 2, Informative
  
  PalmOS, not WebOS.
4. Re:arguably Apple share the blame by jcr · 2009-11-08 04:03 · Score: 2, Insightful
  
  PalmOS isn't a joke, it's just outdated. It did quite well in its time.
  -jcr
  
  --
  The only title of honor that a tyrant can grant is "Enemy of the State."
5. Re:arguably Apple share the blame by bhartman34 · 2009-11-08 04:43 · Score: 2, Interesting
  
  In the case of WebOS, you have to be careful with the term "jailbreak". The process for WebOS is nothing remotely similar to what you have to do with an iPhone. In WebOS, it's a simple matter of entering one of two codes.
  
  The other difference, of course, is that Palm wants people to hack on the Pre (and soon, the Pixi) as much as possible. They encourage the homebrew community, and don't even clamp down on apps that Sprint would prefer to not have on their phones like MyTether. (Sure, they don't have MyTether in the App Catalog, but they could easily prevent it from being installed altogether, if they had a mind to.)
  
  As far as the original article, the really unfortunate thing is that Apple's likely reaction to this will be, "So? We told you not to jailbreak your iPhone!" It will lend some (false) legitimacy to the idea that jailbreaking an iphone is wrong, which will only help Apple lock down iPhones further in the future.
  
  And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.
6. Re:arguably Apple share the blame by mat128 · 2009-11-08 04:53 · Score: 5, Insightful
  
  This isn't OpenSSH developers' problem. The jailbreaking utility should prompt you to change your root password. SSH is only allowing you to remotely log on the device, in the end if your password is weak/default, you shouldn't run an SSH server.
7. Re:arguably Apple share the blame by clarkcox3 · 2009-11-08 04:58 · Score: 3, Informative
  
  PalmOS - http://en.wikipedia.org/wiki/Palm_OS
  WebOS - http://en.wikipedia.org/wiki/Web_OS
  
  big difference
  
  --
  There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
8. Re:arguably Apple share the blame by DavidTC · 2009-11-08 05:03 · Score: 3, Insightful
  
  Except there's no into the command line except SSH, and hence no way to change the password.
  'First run' behavior is pretty meaningless when it's a daemon process installed from an interface that doesn't allow it to prompt.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
9. Re:arguably Apple share the blame by J.Y.Kelly · 2009-11-08 05:08 · Score: 3, Interesting
  
  It depends when you last jailbroke your iPhone. I did a jailbreak early on. I installed openSSH and changed the default password. I then found out that the phone entered an infinite loop of restarting the home screen and had to be forcibly restored.
  The problem appears to be that the passwd binary on the phone is (deliberately?) broken so it generates incorrect hashes for the password entered. If you actually want to change your password then you need to jump through some hoops to change it without using the usual passwd command.
10. Re:arguably Apple share the blame by morgan_greywolf · 2009-11-08 05:11 · Score: 3, Informative
  
  Perhaps the makers of OpenSSH should change the first-run behavior to require the user enter a new password in order to prevent this issue?
  No. OpenSSH is a tool for allowing remote access to a host. It is not a password manager, login manager, etc. Such functions are best separated from OpenSSH. Perhaps it would be best if the jailbreak utility prompt for a root password or generate and provide
  the new SSH private key for the root account to allow for ssh key exchange logins and instruct the user to login via SSH to change the root password. Something like that.
  
  --
  My blog
11. Re:arguably Apple share the blame by BLKMGK · 2009-11-08 05:50 · Score: 2, Informative
  
  Umm except I just did this with no problems? I logged out and back in with new password, no issues. This is on 3.12. what loop issue did you have and how do you go about triggering it? I will test...
  
  --
  Build it, Drive it, Improve it! Hybridz.org
12. Re:arguably Apple share the blame by bhartman34 · 2009-11-08 06:51 · Score: 4, Insightful
  
  Apple doesn't care what you do with the iPhone, but they do have to close the holes that enable jailbreaking because they're security holes through which Something Bad could go to Do Something Bad.
  Apple absolutely does care what you do with the iPhone. That's why they've updated the ROM in newer 3Gs models to prevent jailbreaking.
  
  If Apple was okay with jailbreaking, and just interested in closing security holes, they would work on those holes, rather than on preventing jailbreaking altogether. (In fact, that's exactly what Palm does do. One of the first methods to install apps on a Pre was to e-mail yourself a link to an application. Palm (rightfully) closed that hole, but left intact the ability to root a Pre.
  
  And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.
  Thinking that Apple someone had a hand in creating this "worm" for jailbroken iPhones is not only considerably misguided (and unfounded), it's utterly moronic.
  I didn't say I believe that Apple had a hand in it. I said I wouldn't be shocked if they did. They've got a vested interest in keeping people from jailbreaking, and this kind of thing (especially because it's relatively innocuous) fits the bill.
13. Re:arguably Apple share the blame by Tapewolf · 2009-11-08 07:19 · Score: 2, Interesting
  
  Depends on the version of the OS and policy of the device maker, I think. A few years back I was developing against a Nokia E61 which ran S60r3 (i.e. Symbian 9) and it could only run signed binaries, which made testing on real hardware a nightmare. My understanding was that they got tough with this in version 9 - earlier versions (like the S80 communicator I had before) would happily run unsigned apps.
14. Re:arguably Apple share the blame by Anonymous Coward · 2009-11-08 11:29 · Score: 3, Insightful
  
  'First run' behavior is pretty meaningless when it's a daemon process installed from an interface that doesn't allow it to prompt.
  You mean, There isn't an app for that?
15. Re:arguably Apple share the blame by bhartman34 · 2009-11-09 02:08 · Score: 2
  
  "If Apple was okay with jailbreaking, and just interested in closing security holes, they would work on those holes, rather than on preventing jailbreaking altogether."
  Ah, color me confused. Jailbreaking takes place through security holes. If they close the holes, as you suggest, then the phone can no longer be jailbroken. Or are they supposed to leave a backdoor specifically for jailbreaking?
  In which case, you've now left a (known) hole in your system for someone (anyone) to exploit.
  My position is that there shouldn't be such a concept as "jailbreaking". Users should not feel imprisoned within the iPhone OS. How much more secure does the OS have to be than BSD Unix? That's the base we're really talking about.
  
  The idea that allowing users root access when [i]they're the ones administering the phone in the first place[/i] seems to me to be a huge fallacy. At some point, you have to trust that your users aren't morons.
Re:What does this mean exactly? how to fix? by dingen · 2009-11-08 03:28 · Score: 2, Informative

Only people who deliberately installed OpenSSH through Cydia and didn't change the default password are affect by this "virus". If you haven't installed OpenSSH, you're not a target.

--
Pretty good is actually pretty bad.
Re:What does this mean exactly? how to fix? by Anonymous Coward · 2009-11-08 03:29 · Score: 5, Informative

Go to Cydia, manage tab, packages, and see if OpenSSH is on the list of installed packages.
If it is, download and install a package from Cydia called MobileTerminal.
Start MobileTerminal, type in "su", then type in the default password "alpine", then type in "passwd", and set a new password (don't use " quote marks " in any of these commands)
I did an interview with ikee-as is seen on my blog by OzJD · 2009-11-08 03:53 · Score: 4, Informative

Quick spam, But it's a lot more informative http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html I asked as many questions as I could come up with, and he answerred them all :) Source code is listed on that link as well
Re:DEFAULT PASSWORD? by MindCheese · 2009-11-08 03:57 · Score: 3, Informative

User: root
Password: alpine
Unless you reset it with passwd once you get in (something no guide underscores the importance of, and your typical "ooooh shiny" mass-market Apple consumer won't know), this is the default.
Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?
don't click it! by jmil · 2009-11-08 04:02 · Score: 2, Informative

don't click the link. i was fooled. the posting and comments above are sophisticated hacks to get you to click the link and be rickrolled. the tactic recently attempted here: http://bit.ly/3Xdrd

--
I wish I were old enough to put "Computer" on my resume.
Re:So... by Anonymous Coward · 2009-11-08 04:04 · Score: 4, Interesting

I am reminded of those "I'm a Mac, and I'm a PC" commercials. So, Mac's "little brother" I guess is susceptible to the same plagues PCs are.
Dude . . . it has nothing to do with Mac security. They've installed a third party application on their iPhone -- a service, no less. It's like giving out your house key to everyone, then complaining about how ineffective your house locks are. There are a couple of security practices being ignored by the end user here -- and these are users that, knowing how to jailbreak an iPhone, should know better.
1. Never leave a default password.
2. Never install a service if you don't need it. (Okay, maybe some DO need it, but I doubt all of them.)
The same applies to Windows. Windows is riddled with security problems, hence 75% of windows viruses still work, whereas less than .001% of mac viruses still work (if even that). But even so, many "security problems" in Windows are not the fault of Windows, but of the user running it. It doesn't matter how perfect your burglar alarm is if you don't turn it on.
On a lighter note:

Dark Helmet: "Give us the combination to the air shield!"
King Roland: "All right! All right. It's 1-2-3-4-5."
Dark Helmet: "That's the stupidest combination I've ever heard in my life! That's the kind of combination an idiot would have on his luggage."
[enter president Skroob]
President Skroob: "Did you get the combination to the air shield?"
Dark Helmet: "Yes! It's 1-2-3-4-5."
President Skroob: "That's amazing! I have the same combination on my luggage!"
Mel Brooks FTW.
Re:DEFAULT PASSWORD? by argent · 2009-11-08 04:08 · Score: 4, Interesting

Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?
Once you're running an IP stack, you'd have to make a deliberate and non-trivial effort to prevent direct connections, no?
Not Apple though by SuperKendall · 2009-11-08 04:15 · Score: 3, Insightful

The vulnerability does not happen on any iPhone coming directly from Apple. It's only devices that are jailbroken, then only devices that have sshd installed, and then only devices where those users left the default password in place because, hey - who is going to scan for an iPhone in a coffee shop?
I agree generally with your point about a monoculture, but this is not it. It's a stupid default on a security tool shipped by a third party, that a smaller percentage of users will have (though the last I head the jailbroken iPhone population was north of a million so it's still significant).

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:What does this mean exactly? how to fix? by tgd · 2009-11-08 04:37 · Score: 2, Insightful

And on top of that, leave it running.
SBSettings, folks. Turn it on when you need it. If you're not using it, why leave it on even if you have changed the password?
Re:What does this mean exactly? how to fix? by francium+de+neobie · 2009-11-08 04:50 · Score: 3, Informative

You can also... ehh... ssh to your iPhone and change it right after you jailbroke your iPhone. You'll need a wifi network and another computer to do that, of course.
Re:DEFAULT PASSWORD? by ceoyoyo · 2009-11-08 04:56 · Score: 3, Informative

Actually, most of the jailbreaking guides did make a big deal of changing your password, back when installing SSH was a required part of the process. Apparently when you install SSH through Cydia today it also suggests you change the password. So the people who got hacked ignored a clear warning.
Once you connect your phone to the Internet, device to device connections are sort of the default. You have to purposely block incoming connections to prevent it.
A message for default passworded iPhone users... by TheJodster · 2009-11-08 05:18 · Score: 3, Informative

If you are too stupid to change the default password on the SSH server running on your iPhone, you shouldn't have a jailbroken iPhone. You should leave the damn software alone so that Big Daddy Jobs can take care of security for you. Come back and see us jailbreakers when you get to wear your big boy panties.

--
A little misunderstanding? Galileo and the Pope had a little misunderstanding...
Okay so I tried this... by BLKMGK · 2009-11-08 05:47 · Score: 4, Informative

My phone is Jailbroken but Cydia wasn't on it. I fired up Putty and nope, connection rejected. Tried to install SSH with Rock, it failed claiming that it didn't have Superuser privs. I fired up blacKra1n and installed Cydia. During the install Cydia appeared to install SSH but still no connection. I went in and reinstalled SSH, now I got a connection with the default password. But wait, at the bottom of the SSH install screen where it tells you how to use it they TELL YOU TO CHANGE THE PASSWORD! they also provide you a link to an article detailing HOW TO DO THAT. At this point I already had an SSH connection so I issued a passwd and changed it. TaDa, that hard to do - sheesh! I also installed an interesting little tool called Toggle SSH, gee guess what that does very well? Yup, blocks SSH connections at the press of a button - like a toggle ;-)
So, I had to jump through hoops to install the damned thing, then I received CLEAR instructions on how to change the default password, AND there's a simple to use FREE program out there that disables it. Obviously it might get installed as part of other things depending upon how you jailbroke but come on, they could not have made this too much easier to fix! If people are getting spanked by this well, perhaps they should have been a little more cognizant when they jailbroke? It's not hard to fix via any computer with SSH on it and you can even load a terminal program local to the phone to fix it....

--
Build it, Drive it, Improve it! Hybridz.org
Re:So... by secolactico · 2009-11-08 05:58 · Score: 2, Insightful

Cellular phone + RTFM or it will get broke into = _serious_ usability flaw
Yes, but what makes you think jailbreaking apps writers are interested in usability? It seems to me that if you are taking a device and making it perform outside its manufacturer-specified parameters, you are taking that responsibility upon yourself. If you are using your own tools or something provided by a third party is irrelevant.
How is this worse (responsibility-wise) than having a phone bricked because of a botched jailbreaking attempt?
I'm not writing off the users as stupid, but they are certainly not blameless.

--
No sig
Th Root Password by djdavetrouble · 2009-11-08 07:02 · Score: 4, Informative

is alpine.

--
music lover since 1969