Slashdot Mirror
First iPhone Worm Discovered, Rickrolls Jailbroken Phones
Unexpof writes "Users of jailbroken iPhones in Australia are reporting that their wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley. This is the first time a worm has been reported in the wild for the Apple iPhone. According to a report by Sophos, the worm, which exploits users who have installed SSH and not changed the default password, hunts for other vulnerable iPhones and infects them. Users are advised to properly secure their jailbroken iPhones with a non-default password, and Sophos says the worm is not harmless, despite its graffiti-like payload: 'Accessing someone else's computing device and changing their data without permission is an offense in many countries — and just as with graffiti there is a cost involved in cleaning-up affected iPhones. ... Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.'"
FFS, why is there even a default password on sshd for the jailbroken phones? It should default to being disabled and then require you enter your own password when it's enabled.
Hail Eris, full of mischief...
E pluribus sanguinem
So this worm is aimed at people are are smart enough to jailbreak an iPhone, but stupid enough not to change a default password. Sounds like a narrow band detection device.
Place nail here >+
Yeah, it's the same kind of thing as Windows... Like if a user installed a remote management protocol, then left the default password on it, and then wondered why they got hacked so easily...
Not to mention this is NOT apple's software, or anything that apple sanctioned on their phone. It is from hacked phones. Sadly, this will do nothing but make Apple more sure that they should not open up the iPhone platform more.
and the iPhone getting rickroll'd
http://www.youtube.com/watch?v=3KANI2dpXLw&feature=player_embedded#
Ars technica reported a similar case in the Netherlands about a week ago. A teenage "hacker" replaced the wallpaper with one showing an alert that told the user to give him 5 euros for instructions to remove the "virus". Full article
It may be 7 digits, but at least it's a semiprime
Go to Cydia, manage tab, packages, and see if OpenSSH is on the list of installed packages.
If it is, download and install a package from Cydia called MobileTerminal.
Start MobileTerminal, type in "su", then type in the default password "alpine", then type in "passwd", and set a new password (don't use " quote marks " in any of these commands)
The problem is not in the jailbreaking or unlocking of the phone. The problem is people installing OpenSSH but not changing the password (which it does ask you to) and thus allowing SSH-connections to their phone by everyone.
Pretty good is actually pretty bad.
The only rivals that are completely unlocked are Palm OS (which is a joke,) Windows Mobile, and Maemo.
Android and WebOS do at least allow you to install unsigned apps, but you don't get root access without a jailbreak, and BlackBerry and Symbian both require signed apps and don't even give root to most signed apps. Useful for things like tethering (although not required.)
Quick spam, But it's a lot more informative http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html I asked as many questions as I could come up with, and he answerred them all :)
Source code is listed on that link as well
I am reminded of those "I'm a Mac, and I'm a PC" commercials. So, Mac's "little brother" I guess is susceptible to the same plagues PCs are.
Dude . . . it has nothing to do with Mac security. They've installed a third party application on their iPhone -- a service, no less. It's like giving out your house key to everyone, then complaining about how ineffective your house locks are. There are a couple of security practices being ignored by the end user here -- and these are users that, knowing how to jailbreak an iPhone, should know better.
1. Never leave a default password.
2. Never install a service if you don't need it. (Okay, maybe some DO need it, but I doubt all of them.)
The same applies to Windows. Windows is riddled with security problems, hence 75% of windows viruses still work, whereas less than .001% of mac viruses still work (if even that). But even so, many "security problems" in Windows are not the fault of Windows, but of the user running it. It doesn't matter how perfect your burglar alarm is if you don't turn it on.
On a lighter note:
Dark Helmet: "Give us the combination to the air shield!"
King Roland: "All right! All right. It's 1-2-3-4-5."
Dark Helmet: "That's the stupidest combination I've ever heard in my life! That's the kind of combination an idiot would have on his luggage."
[enter president Skroob]
President Skroob: "Did you get the combination to the air shield?"
Dark Helmet: "Yes! It's 1-2-3-4-5."
President Skroob: "That's amazing! I have the same combination on my luggage!"
Mel Brooks FTW.
Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?
Once you're running an IP stack, you'd have to make a deliberate and non-trivial effort to prevent direct connections, no?
This isn't OpenSSH developers' problem. The jailbreaking utility should prompt you to change your root password. SSH is only allowing you to remotely log on the device, in the end if your password is weak/default, you shouldn't run an SSH server.
My phone is Jailbroken but Cydia wasn't on it. I fired up Putty and nope, connection rejected. Tried to install SSH with Rock, it failed claiming that it didn't have Superuser privs. I fired up blacKra1n and installed Cydia. During the install Cydia appeared to install SSH but still no connection. I went in and reinstalled SSH, now I got a connection with the default password. But wait, at the bottom of the SSH install screen where it tells you how to use it they TELL YOU TO CHANGE THE PASSWORD! they also provide you a link to an article detailing HOW TO DO THAT. At this point I already had an SSH connection so I issued a passwd and changed it. TaDa, that hard to do - sheesh! I also installed an interesting little tool called Toggle SSH, gee guess what that does very well? Yup, blocks SSH connections at the press of a button - like a toggle ;-)
So, I had to jump through hoops to install the damned thing, then I received CLEAR instructions on how to change the default password, AND there's a simple to use FREE program out there that disables it. Obviously it might get installed as part of other things depending upon how you jailbroke but come on, they could not have made this too much easier to fix! If people are getting spanked by this well, perhaps they should have been a little more cognizant when they jailbroke? It's not hard to fix via any computer with SSH on it and you can even load a terminal program local to the phone to fix it....
Build it, Drive it, Improve it! Hybridz.org
Apple doesn't care what you do with the iPhone, but they do have to close the holes that enable jailbreaking because they're security holes through which Something Bad could go to Do Something Bad.
Apple absolutely does care what you do with the iPhone. That's why they've updated the ROM in newer 3Gs models to prevent jailbreaking.
If Apple was okay with jailbreaking, and just interested in closing security holes, they would work on those holes, rather than on preventing jailbreaking altogether. (In fact, that's exactly what Palm does do. One of the first methods to install apps on a Pre was to e-mail yourself a link to an application. Palm (rightfully) closed that hole, but left intact the ability to root a Pre.
And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.
Thinking that Apple someone had a hand in creating this "worm" for jailbroken iPhones is not only considerably misguided (and unfounded), it's utterly moronic.
I didn't say I believe that Apple had a hand in it. I said I wouldn't be shocked if they did. They've got a vested interest in keeping people from jailbreaking, and this kind of thing (especially because it's relatively innocuous) fits the bill.
is alpine.
music lover since 1969