7179952
story
Comments: 135 +- IT: First Malicious iPhone Worm In the Wild on Saturday November 21, @03:37PM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicworms.gif); width:69px; height:37px;
worms
background: url(//a.fsdn.com/sd/topics/topiccellphone.gif); width:75px; height:74px;
cellphones
background: url(//a.fsdn.com/sd/topics/topicapple.gif); width:52px; height:64px;
apple
An anonymous reader writes "After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present."
Related Stories
Submission: First malicious iphone worm in the wild by Anonymous Coward
Mobile: Security Firms Can't Protect iPhone From Threats 137 comments
One of the pleasures of reading old letters is the knowledge that they
need no answer.
-- George Gordon, Lord Byron
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
hmmm. passwd (Score:4, Insightful)
how about changing the default password............
Why is there a default password at all? (Score:2)
Jeez. People knew that was a bad idea decades ago.
Re: (Score:2)
Yeah, and I don't get why the executable used for jail-breaking an iPhone couldn't either
a) Prompt the user to choose a root password, or
b) Generate a (random) root password for each install.
I mean seriously, what is the idea behind having a default root password?
Re: (Score:3, Insightful)
The default install doesn't come with OpenSSH anyway. If you deliberately install OpenSSH (to access your stuff using WiFi, which is why most people do) and fail to change your password (which should be blatantly obvious, since it's what you'll be using to access the phone over WiFi), well, shame on you. If you can't deduce that anyone can access your phone remotely just as well as you can, you shouldn't be doing these things.
Really, a good part of the blame is probably on tutorials and guides out there tha
Re: (Score:2)
Of course that is one of the many reasons why apple is so anal about what apps can be do and which api's they can use.
if i put on the tinfoil I would bet that apple themselves engineered the virus to spread through only jail broken phones to prove just how dangerous jail breaking is.
Re: (Score:2)
The purpose of suggesting that anyone with the default password reflash their iphones is that they might already be infected, making changing the password at this point pointless.
Of course changing the default password is something that should always be done.
Excessive? (Score:5, Insightful)
Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present.
That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses
Re:Excessive? (Score:4, Insightful)
Parent
Re: (Score:2)
If you're jailbreaking next time you upgrade the issue will solve itself since you flash a new image on the phone. But my guess is these are clueless people who had their phone unlocked and jailbroken by a friend back in the (1.3) days when openssh was automatically installed when jailbreaking and the included passwd utility was broken so people couldn't change the password.
Re:Excessive? (Score:4, Insightful)
Isn't it also interesting that the fix is to, basically, un-jailbreak as soon as possible. If I were more of a conspiracy theorist, I would think Apple might have an interest in showing just how "bad" jailbreaking can be. Apple: See, if you jailbreak, you'll get a special phone worm!
Parent
Re: (Score:3, Funny)
WORMS? IN MY APPLE?!?!?!?
actually, that seems somehow fitting...
Re: (Score:2)
Wrong. The fix is to, basically, reinstall the OS. Jailbroken or not. Jailbreak != OpenSSH preinstalled. People claiming this hole is somehow the result of jailbreaks are either clueless or anti-jailbreak. Jailbreaking is the enabler, but the real problem are clueless users who install (or are instructed to install) OpenSSH and do not change the default passwords.
Re: (Score:2)
Unless... (Score:2)
Unless of course the author of a particular jailbreak utility WANTS to compromise the target units.
Re: (Score:2)
That seems a bit excessive when a simple one-time usage of the included "passwd" utility will suffice. Srsly though, jailbreaking utilities should be pestering users to change their password from the default because this is only scaring less-knowledgeable folk into thinking Jailbreak == viruses
Honestly, if the people reading it don't realize it is obsessive, they probably shouldn't have jailbroke their phones in the first place. When you hack something on a public controlled network, you best not be mindless. This message hits exactly the people who should return to the standard firmware and nor more.
Re: (Score:2)
Re: (Score:2)
No. If people don't realize that reflashing their iphones is the proper thing to do at this point then they are the ones that should not be jailbreaking their iphones. The purpose of the reflash is to ensure that the phone will no longer be infected, which it may or may not have been before hand. Changing the password after the fact will not magically un-infect them.
Honestly though, if people didn't change the default password to begin with then they really should not be jailbreaking their iphones.
Oh, an
Re:Excessive? (Score:4, Insightful)
,
Parent
Re: (Score:3, Interesting)
No reason ordinary folk shouldn't be allowed to enjoy the benefits of an un-crippled, unrestricted phone.
It's these same people who don't care if their Windows machine is full of viruses from opening their firewall since it was "inconvenient." With these people, a botnet of iPhones is just a matter of time.
Re:Excessive? (Score:5, Insightful)
No reason ordinary folk shouldn't be allowed to enjoy the benefits of an un-crippled, unrestricted phone.
If having an unrestricted device is so important to them, why buy an iPhone at all ?
Every other smartphone lets you use the network provider you want, or install the apps you want from anywhere.
Parent
There's an app for that! (Score:5, Funny)
In other news, idiot users get hacked (Score:3, Informative)
Wederom zijn het alleen gebruikers van een gejailbreakte iPhone of iPod Touch die risico lopen.
Translation: Again are the only users of an iPhone or iPod Touch gejailbreakte at risk.
In summary, if you jailbreak your phone, install apps to make your phone a server, and don't take steps to secure it, you are an idiot and deserve whatever happens.
Why a default password? (Score:5, Insightful)
why is SSH being installed with a default password left in place? Talk about asking for trouble.
Re:Why a default password? (Score:5, Insightful)
Parent
Re: (Score:2)
Re: (Score:3, Informative)
Not the first (Score:2)
I have to take exception to the claim this is the FIRST malicious iPhone worm. After all, ikee inflicted Rick Astley on people - that probably gave folks nightmares.
Wait a second? (Score:4, Interesting)
>to the latest Apple firmware in order to ensure no malware is present."
If they flash to the latest apple firmware, will they be able to
Most importantly - will they be able to jailbreak the device after the update?
I see a future where Apple, the RIAA, and others might wish to write worms to help prevent people from hacking their devices or brick devices that have been "hacked".
Re:Wait a second? (Score:5, Informative)
Parent
Re: (Score:2)
I can do 2 and 3 right now on my un-jailbroken iPhone.
I'm also quite happy with O2, although now the exclusivity has expired in the UK, I can switch to Orange if I really want.
SIM lock (Score:2)
1. Use the network of their choice
Good question !
Is the iPhone sold by AT&T SIM-Locked ?
Or is only the iPhone OS testing on which network it is connected ?
That's an important distinction :
- In the former case, the restriction of choice is done by the actual GSM/UTMS chip it self.
Enabling the user to run the software of his/her choice doesn't change a thing. To unlock the phone a special command has to be sent to the chip to allow it to use another SIM card with a different identification number.
- In the later case a jail breaked phone c
Re: (Score:2)
The former. These days, jailbreaking is a prerequisite to sim-unlock (because you need to access the software to talk dirty to the GSM chipset, a.k.a. baseband). You may or may not be able to unlock the phone once you're jailbroken, especially if you've applied an Apple update that updates the GSM chipset to close holes. For example, AFAIR, the iPhone 3GS can be thoroughly pwned as far as software goes after any update (ROM bootloader bugs), but updating the baseband will lock you out of unlocks until new e
Re: (Score:2)
So you're telling me that in the future, Apple could possibly have the strong desire to write a worm for iPhones? You're like the prophet of uncertainty.
Re: (Score:2)
iPhone can play mp3 files no matter where they are purchased from - no DRM, and in fact most of the music sold on the iTunes store is DRM free now.
Skype has been available in the App Store for quite some time
Nope, still wrong, AT&T allows skype on 3G (Score:3, Informative)
You can use Skype/VOIP over the AT&T 3G network now [tmcnet.com]
Abstraction (Score:5, Insightful)
It seem plain clear to us that having a common, default admin passwords in all the jailbroken devices is a very bad policy, but how many times we could had fell in a similar situation were are us who don't understand fully what we are using i.e. in other areas?
To make things worse, we complain a lot about products that takes the "safest" choice for us, not giving enough control/customization to the final (knowing enough?) user, making those impopular and so not taken even by the people that don't know (or don't want to know).
Re: (Score:2)
Common, default admin passwords are present on all phones, jailbroken or not (it's just that they're basically useless with Apple's firmware). Jailbreaking it doesn't make you any more vulnerable, that only happens after you (manually) install OpenSSH. If anything, the OpenSSH package should force users to change their passwords (or refuse to work otherwise), but jailbreaking itself has nothing to do with this. People appear to be equating jailbreaking with having OpenSSH installed, which is entirely untrue
Whis is behind this? (Score:2)
Re: (Score:2)
How is this going to get made Apple's fault? (Score:3, Insightful)
So Apple has been working hard to keep jailbreaking down to a minimum. Now it is discovered that some jailbroken phones with jailbroken apps have security issues.
How is someone going to now turn this around and blame Apple?
HOWTO: Putting the blame on Apple (Score:2)
How is someone going to now turn this around and blame Apple?
Well it's easy :
It's all Apple's fault. If they did provide absolutely all feature that every single user wanted, even including the weird hacking geeks, people won't be needing to jailbreak their phone in the first place.
Therefore : Let's blame Apple !
Re: (Score:2)
Actually true. If they hadn't locked down the iPhone, there would be no need for jailbreaking. If the iPhone had an open but secure OS all of this wouldn't happen.
Me, I'm still waiting for news about how open or locked down the various Android implementations are.
More seriously (Score:2)
... :
In a more serious way
If you look, there's a gradation of phone un-locking.
With iPhone at one range of the spectrum : people have to circumvent Apple's limitation to be able to do what they want with the phone. You can't even do some pretty much basic stuff like tethering - I find this particularly asinine. I've been doing that for years (almost a decade) with my antique Ericsson T39. Since IrDA/Bluetooth and GPRS have been existing, people have been doing it, but on what's supposed to be the latest bas
Published passwords == bad. It's that simple. (Score:2)
if you run with a default password, for root or otherwise, you have effectively published that account's password.
What is bound to happen after you have published your password is left as an exercise to the eader.
Re: (Score:2)
You should not be so quick to dismiss the benefits to known default passwords. Once I had to install an application targeting an Oracle database, but when I got there none of the techs present were Oracle administrators. Luckily, the people who had set up the database hadn't bothered with changing defaults, so I was able to do the install via the SYSTEM user. Didn't check if they also had default on DBA (or was it called SYSDBA?) since that default password is too long to bother with.
Re: (Score:2)
And http://www.defaultpassword.com/?action=dpl&char=d [defaultpassword.com] confirms my hazy memory of the DEC field circus' User: field pass: service - which is good for a few stories in itself, of on-sites changing the password to 'circu
What, a worm on a platform with no market share? (Score:2, Interesting)
Doesn't this (finally) put to bed the notion that there are virtually no worms or viruses for Mac OS X simply because hackers don't want to waste their time on a platform with so little market share? The platform targeted by the hackers in this case -- jailbroken iphones running a particular service -- is a fraction of the installed base of Mac OS X computers. It seems that hackers (naturally) select their targets primarily based on ease of exploit -- jailbroken iphones with SSH installed with a default pas
Jailbreaking and Unlocking - they're different (Score:3, Interesting)
Being only able to buy the iPhone here in the US as a carrier-locked phone - that's wrong and sucks. But sadly that's the rule here because of the deal Apple has with AT&T. May it expire soon, even though the only other national GSM carrier is T-Mobile and they have an even smaller footprint. It'd be nice to take an iPhone out of the country and get a local SIM without having to use your AT&T account.
Of course, that carrier lock is also why the iPhone costs $200 instead of about $600 or so - the carrier subsidy that AT&T pays Apple for it keeps you from having to pay all the money up front.
Jailbreaking, though, is a different story. Anyone who wants to jailbreak their iPhone should feel free to do so and run whatever they want. But if you go to the trouble to bypass Apple's application security model you get what you get. Not Apple's fault.
But things like this worm make me understand that much more why Apple works to plug the holes that jailbreak tools keep exploiting. We may not all like that we're restricted to getting apps from the App Store, but on the other hand the iPhone isn't sold as a tool for personal freedom. It's sold as a phone that runs apps that you get from Apple. Period.
There's other phones that are marketed as "freedom phones". If people want that above all else, they should buy a phone with the appropriate OS and not an iPhone.
Ultimately, I hope Apple opens up the App Store further and simply reviews apps to answer just a couple of questions:
1 - Does the app do anything that expressly isn't allowed by carrier contracts?
2 - Does it break the published development rules?
If it doesn't, then it ought to be published, period. For instance, now that AT&T stated that VoIP would now be allowed on their network, all the Google Voice apps and Skype should immediately be approved and put out for 3G usage. Because those apps don't break guidelines and are now allowed by the carrier.
But even if they eliminated all restrictions short of that, the App Store will never be the free market that jailbreakers want to have. So get another phone. I hear you can run anything you want on Windows Mobile.
(why you'd want to may be another story...)
Re:ROFL (Score:4, Insightful)
Odd, the story called it a WORM.. which it is.
Parent
Re: (Score:3, Insightful)
gejailbreakte
I love it.
Sadly, the language is full of these sort of things nowadays... give it another decade and Dutch will be fully understandable for people who speak English.