Slashdot Mirror
First Malicious iPhone Worm In the Wild
An anonymous reader writes "After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present."
PEBKAC.
Morons who don't know what the fuck they're doing still continue doing it.
News at 11.
how about changing the default password............
Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present.
That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses
Finally! Now I can tell my friends that my iPhone can run all the stuff my desktop can!
SSC
Wederom zijn het alleen gebruikers van een gejailbreakte iPhone of iPod Touch die risico lopen.
Translation: Again are the only users of an iPhone or iPod Touch gejailbreakte at risk.
In summary, if you jailbreak your phone, install apps to make your phone a server, and don't take steps to secure it, you are an idiot and deserve whatever happens.
why is SSH being installed with a default password left in place? Talk about asking for trouble.
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
Odd, the story called it a WORM.. which it is.
---- Booth was a patriot ----
gejailbreakte
I love it.
So the only phones at risk are the jailbroken (jailbreaked?) ones?
You'd think the thing to do would be to incorporate a password-changing tool into the jailbreaking tools somehow, so users have to select something other than the default one.
I have to take exception to the claim this is the FIRST malicious iPhone worm. After all, ikee inflicted Rick Astley on people - that probably gave folks nightmares.
#DeleteChrome
I think this is really the affect of smoking and using the iphone at the same time. Apple should have these people arrested. And sent to Alcatraz, which Steve Jobs recently bought, btw.
It implies rickrolling isn't malicious.
>to the latest Apple firmware in order to ensure no malware is present."
If they flash to the latest apple firmware, will they be able to
Most importantly - will they be able to jailbreak the device after the update?
I see a future where Apple, the RIAA, and others might wish to write worms to help prevent people from hacking their devices or brick devices that have been "hacked".
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
You just do this and that happens. As in "you run this and your phone gets even more awesome" or "you'll shut down your firewall be able to get movies in your pc" or things like that. But you dont have to understand what are really doing, or all that it implies. People are getting powerful things, and as childs are irresponsible about what could happen because their actions because they don't understand them.
It seem plain clear to us that having a common, default admin passwords in all the jailbroken devices is a very bad policy, but how many times we could had fell in a similar situation were are us who don't understand fully what we are using i.e. in other areas?
To make things worse, we complain a lot about products that takes the "safest" choice for us, not giving enough control/customization to the final (knowing enough?) user, making those impopular and so not taken even by the people that don't know (or don't want to know).
Die Hard with a Vengeance comes to mind.
Jeez. People knew that was a bad idea decades ago.
Deleted
Unless of course the author of a particular jailbreak utility WANTS to compromise the target units.
Apple? Hmm big corp don't like customer freedom.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So Apple has been working hard to keep jailbreaking down to a minimum. Now it is discovered that some jailbroken phones with jailbroken apps have security issues.
How is someone going to now turn this around and blame Apple?
Being rickrolled is not malicious. It's a privilege.
Publishing your password on the net (which is roughly equivalent to what these lusers have done) borders on criminal negligence. I've ranted about this before (and yes, it was /.ed), and the conclusion remains the same:
if you run with a default password, for root or otherwise, you have effectively published that account's password.
What is bound to happen after you have published your password is left as an exercise to the eader.
-- That grumpy BSD guy - http://bsdly.blogspot.com/
Google reader was showing an ad titled "Make your iPhone a little more exciting" with this article. Very exciting indeed!
1. Use the network of their choice
Good question !
Is the iPhone sold by AT&T SIM-Locked ?
Or is only the iPhone OS testing on which network it is connected ?
That's an important distinction :
- In the former case, the restriction of choice is done by the actual GSM/UTMS chip it self.
Enabling the user to run the software of his/her choice doesn't change a thing. To unlock the phone a special command has to be sent to the chip to allow it to use another SIM card with a different identification number.
- In the later case a jail breaked phone could simply be instructed to bypass the check.
As an exemple, Android "Google"-Phones may use SIM-lock (depending on the plan, etc.)
In which case you can install pretty much everything you want on the phone (specially with Android being open-source, etc.)
But you're still required to use the same SIM card - The GSM chip is linked to specific range of ISMI and will refuse de go only with others.
But I have no idea about iPhones.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
How is someone going to now turn this around and blame Apple?
Well it's easy :
It's all Apple's fault. If they did provide absolutely all feature that every single user wanted, even including the weird hacking geeks, people won't be needing to jailbreak their phone in the first place.
Therefore : Let's blame Apple !
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
It's like the guy who wants to start a bank, who leaves the doors to the building in the default position (unlocked) always, and leaves the money vault's combination, set to the default "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16", which is printed on a sticker at the top of the lock he didn't bother to remove "Default combination: ..
Doesn't this (finally) put to bed the notion that there are virtually no worms or viruses for Mac OS X simply because hackers don't want to waste their time on a platform with so little market share? The platform targeted by the hackers in this case -- jailbroken iphones running a particular service -- is a fraction of the installed base of Mac OS X computers. It seems that hackers (naturally) select their targets primarily based on ease of exploit -- jailbroken iphones with SSH installed with a default password, for instance, or Microsoft Windows -- than on market share, since any of these platforms still provides tens of millions of potential targets.
I think it's also important to note that the security of Mac OS X extends to the iPhone as well; hackers are apparently unable to successfully compromise the much larger installed base of iPhones, having to content themselves with the much smaller population that has been jailbroken (read, "security compromised").
...
In a more serious way :
If you look, there's a gradation of phone un-locking.
With iPhone at one range of the spectrum : people have to circumvent Apple's limitation to be able to do what they want with the phone. You can't even do some pretty much basic stuff like tethering - I find this particularly asinine. I've been doing that for years (almost a decade) with my antique Ericsson T39. Since IrDA/Bluetooth and GPRS have been existing, people have been doing it, but on what's supposed to be the latest bast smartphone you can't do it ? WTF ?!?
In the middle of the range you got Android : Not much firmware flashing because most end-users get all the features they want. The only reason to flash your phone is if your phone maker lags in releasing firmware updates, and some will block you from installing all the applications you want - but restrict you to app stores only. Thankfully the majority of Androids out there do what their users want them to do.
At the other hand you have things like Windows phone and the various incarnation of Palm (PalmOS, WebOS, etc.) - an SDK for developing is pretty much standard on these platforms and you can run pretty much anything on it. No need to flash.
The popularity of iPhone jail-breaking simply stems from Apple's tendency to be control freaks and wanting 100% over the whole "Apple experience".
It's understandable from a marketing point of view, but that's not what users want. But it doesn't matter as there are other more open alternatives to pick from.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Honestly, these headlines of recent need to include the word 'jailbroken' - then I wouldn't have to read them. Really, who cares? If you're jailbreaking your iPhone , man up and secure it. It's no different than any other computing device.
Civilization, the death of dreams.
What I don't see is upon installation of openssh it would be easy enough to force the user to change the password? Why don't they just have a simple check within openssh that if the password is the default upon the first login force the user to change the password?
Seriously misleading. Next headline: "Toyota Prius prone to nuclear explosion". ... if you remove the engine, put your homebrew uranium fuel rods in it, and forget to read the owner's manual about needing proper coolant.
don't panic-- clowns can smell fear.
One reason why people might still be using the original password, and why this is all a hassle, is that the normal UNIX passwd program cannot be used on the iPhone.
I believe one needs to manually edit a file called /etc/master.passwd
Booth stopped rotting a long time ago. As such he no longer stinks. Not stinking is hardly enough to be called a patriot. I can think of nothing else to recommend him.
NO NO NO... the title for the article should read "First malicious worm for JAILBROKEN iPhones in the wild" because that is the only way to get it and lazy readers will just start running for the hills claiming how insecure the iPhone is.
And by lazy readers I mean tech journalists.
You can use Skype/VOIP over the AT&T 3G network now
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It gives the impression you (the customer) is doing something wrong (breaking out of jail). Call it "removing the DRM". Personally, I don't know why anyone would want to buy a DRM-crippled device for hundreds of dollars and be beholden to 2 mega corporations dictating what you can and can't do with it. But I'll defend to the death the right of the public to do what they please with what they buy (own). F*** corporate rights!
Science : Proprietary , Knowledge : Open Source
People need to change their password, instead of using a default (known) password.
Maybe Cydia should prompt for a new password when installing sshd and make sure root is disabled on sshd?
This should effect a minority number of jailbroken phones (because if you are going to jailbreak you probably know enough to change the password) and since jailbroken phones are already less than 25 percent of iPhones, how is this even news? That has to be an extremely small number of possible targets. Not to mention the fact that every phone company already runs a firewall which prevents you from infecting anyone NOT using your telco's service.
I'm guessing with all these limiters, that less than a handful (a few hundred) phones world wide will ever be infected?
I think it's also important to note that the security of Mac OS X extends to the iPhone as well; hackers are apparently unable to successfully compromise the much larger installed base of iPhones, having to content themselves with the much smaller population that has been jailbroken (read, "security compromised").
Obviously you do not remember how the early firmwares were jailbroken.
All you had to do was visit a website.
Except, everyone loves it when there's a new exploit discovered for the iPhone, and pretends not to recognize how that could easily have been used to spread a malicious worm instead.
Well, my personal opinion is that OS X doesn't get as much malware because its security model is better then Windows' in at least one crucial way: it has the Unix concept of the executable bit, which turns the system from "default allow" to "default deny" and so locks out a huge number of traditional Windows vectors (the auto-executing email attachment, the auto-executing drive-by download, the auto-executing IM attachment, etc., etc.) in one fell swoop. As others have said, "default allow" is the dumbest idea in the history of computer security.
But as for people putting in their time, well, I don't know if you noticed but if you come up with a crack for something produced by Apple you'll end up with 5.75x10^600 pageviews from the resulting press coverage (see: pwn2own, which has basically become a luck of the draw contest -- if you get to go first, you win because you're sitting on a canned exploit you kept secret solely for the contest). And certain types of people love that sort of attention.
Too many people says password like there's only one; which was to be expected in Youtube, but not from the pros (?) at security.nl. All your personal data is still vulnerable if you don't change the password of the default user ("mobile") besides root's. The instructions at Cydia do include such step.
I don't recall a big fat warning on installing OpenSSH however, and didn't got one on reinstall either. Instead, I do remember taking my sweet time to install MoibleTerminal and set new passwords, out of laziness... *blush* I can perfectly understand how a non-techie would never get around it.
A terminal is a dark, scary thing, and a first encounter in such a limited device must be, well, like a shell bomb. You can simply follow a short recipe, sure, but that requires reading and not having a short attention span... so of course most people will end up in Youtube and with one password still in default... if not both.
So yeah, keep it simple dummy... have the install script ask for both passwords, and save the world from more Rick & Rolling.
Being only able to buy the iPhone here in the US as a carrier-locked phone - that's wrong and sucks. But sadly that's the rule here because of the deal Apple has with AT&T. May it expire soon, even though the only other national GSM carrier is T-Mobile and they have an even smaller footprint. It'd be nice to take an iPhone out of the country and get a local SIM without having to use your AT&T account.
Of course, that carrier lock is also why the iPhone costs $200 instead of about $600 or so - the carrier subsidy that AT&T pays Apple for it keeps you from having to pay all the money up front.
Jailbreaking, though, is a different story. Anyone who wants to jailbreak their iPhone should feel free to do so and run whatever they want. But if you go to the trouble to bypass Apple's application security model you get what you get. Not Apple's fault.
But things like this worm make me understand that much more why Apple works to plug the holes that jailbreak tools keep exploiting. We may not all like that we're restricted to getting apps from the App Store, but on the other hand the iPhone isn't sold as a tool for personal freedom. It's sold as a phone that runs apps that you get from Apple. Period.
There's other phones that are marketed as "freedom phones". If people want that above all else, they should buy a phone with the appropriate OS and not an iPhone.
Ultimately, I hope Apple opens up the App Store further and simply reviews apps to answer just a couple of questions:
1 - Does the app do anything that expressly isn't allowed by carrier contracts?
2 - Does it break the published development rules?
If it doesn't, then it ought to be published, period. For instance, now that AT&T stated that VoIP would now be allowed on their network, all the Google Voice apps and Skype should immediately be approved and put out for 3G usage. Because those apps don't break guidelines and are now allowed by the carrier.
But even if they eliminated all restrictions short of that, the App Store will never be the free market that jailbreakers want to have. So get another phone. I hear you can run anything you want on Windows Mobile.
(why you'd want to may be another story...)
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Well, that's a fairly good code compared to the launch codes of the Minute Man nuclear missiles during the cold war:
http://www.cdi.org/blair/permissive-action-links.cfm
Me, I'm still waiting for news about how open or locked down the various Android implementations are.
The Google Dev phone is (HTC Dream but Google-branded, not AT&T brande), for example, completely unlocked.
There are countries (like in Switzerland) where phones aren't directly subsidized by- and sold exclusively by- phone companies, but where subscribing a data plan simply gives you a rebate to use while buying whichever phone you like.
In such place the dev phone is definitely a good buy.
My brother got one in such a way.
The only official limitation with Android phones is that although the OS it self is open-source and freely available, there are various proprietary Google-Apps (Google Maps, etc. the so called "Google Experience") whose licenses don't allow re-distribution.
That means, if you want to flash a completely new OS - like a community build of the latest Android - you need to backup your Google Apps to re-install them after the flash.
That also means you don't get Google Applications on phone which didn't directly license Android from Google, but use their own build of the opensource OS :
Thus for OpenMoko or for various asian google-clones, you get android and full phone functionality but no additional google-apps.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
A perfect example of why computers should not allow humans to specify the password. Instead it should be randomly generated at time of manufacture, and the only password change operation allowed should be "generate a new random password"
You know, the one where I can buy VOIP apps for the iPhone that work over 3G?
Well, technically you can't buy it since it's free. I had to include that disclaimer because in a desperate attempt to salvage some dignity I imagine you might try to further attack me on that point.
I guess you should have spent longer than ten seconds on Google and not tried to outwit someone who knows what the hell they are talking about. I guess you should not assume that Skype is the only VOIP app on the planet, I suppose that may well be amistake many non-technical users would make. How embarrassing to be you!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
so the iphone is the hottest selling smart phone on the marketand no users "want what it offers".....seriously.
"So the iPhone is the perfect device that every single users have ever dream of and nobody will never need any additional functionality ever, but curiously a huge amount of them still feel the urge to circumvent the restrictions ?"
See, your reflection works both ways.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
People are going to great lengths to pretend like there are vulnerabilities in the iPhone. This is a Darwin worm and not much else.
It is a worm where the security hole used is ssh ... being open and having a standard password on jailbroken phones. That hardly counts.
Also I'm pretty sure present day meaning of 'patriot' means willing to do whatever your government asks, caseinpoint Patriot act.