Forgot your password?
typodupeerror

iPhone Root Password Hacked in Three Days 311

Posted by Zonk
from the not-that-it-will-do-anybody-any-good dept.
unPlugged-2.0 writes "An Australian developer blog writes that the iPhone root password has already been cracked. The story outlines the procedure but doesn't give the actual password. According to the story: 'The information came from an an official Apple iPhone restore image. The archive contains two .dmg disk images: a password encrypted system image and an unencrypted user image. By delving into the unencrypted image inquisitive hackers were able to discover that all iPhones ship with predefined passwords to the accounts 'mobile' and 'root', the last of which being the name of the privileged administration account on UNIX based systems.' Though interesting, it doesn't seem as though the password is good for anything. The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers."
This discussion has been archived. No new comments can be posted.

iPhone Root Password Hacked in Three Days

Comments Filter:
  • Prediction... (Score:4, Insightful)

    by daveschroeder (516195) * on Tuesday July 03, 2007 @12:04PM (#19732561)
    This will get picked up by blogs, news sites - and, if we're lucky, given a good mangling by sloppy journalists in the mainstream press - as somehow meaning that any iPhone can be "broken into" by a malicious third party, and/or that all iPhones are now "insecure", and/or that iPhones - and all the personal data on them - are now, because of this, vulnerable to remote attack, when none of those things are true.

    Also, from TFA and the summary:

    "Having the passwords will not do anybody any good for the moment. The iPhone has no console or terminal access, so there is no way to log in as either account. In fact, nobody even seems certain that the accounts access the machine at all, some Internet commentators suggesting that the password file was left over from early development work, or was intentionally included to throw hackers off the scent."

    These kind of idiotic replies to the blog post are telling:

    Poetic Justice - 04/07/07
    So much for Apple being the most secure OS in the world. Welcome to Microsoft's world, Jobs.


    Wow, cracking a local password on a file that belongs to a device to which you have physical access?

    Stop the presses!

    Since iPhones don't have any kind of access that makes this "discovery" meaningful, I'm sure that people will just misunderstand the implications of this, and because of the iPhones popularity - and a lot of peoples' desire to tear it down or create any FUD they can to dissuade interested people from possibly buying an iPhone - I'm sure this and related stories will be big news.
    • Re: (Score:3, Interesting)

      by Aladrin (926209)
      "dissuade interested people from possibly buying an iPhone"

      What? This wouldn't have that effect at all. It would have the -opposite- effect. Those who had not planned to purchase may think they could mod it like a ps2 and poof, instant super-phone.

      Yes, we aren't quite there... But I have little doubt we'll get there pretty quickly.

      Now if they manage to unlock it -and- provide access to run any app I compile, I would be very interested.
      • Re:Prediction... (Score:5, Insightful)

        by daveschroeder (516195) * on Tuesday July 03, 2007 @12:10PM (#19732651)
        Assuming the iPhone is hacked to the point where it's easily modifiable, yes, it will have the opposite effect in the extremely small niche market.

        In the mainstream, this can easily get spun as the iPhone is extremely insecure, and has been "broken into", causing normal people to steer very clear.
        • by untaken_name (660789) on Tuesday July 03, 2007 @12:29PM (#19732897) Homepage
          Assuming the iPhone is hacked to the point where it's easily modifiable, yes, it will have the opposite effect in the extremely small niche market.

          In the mainstream, this can easily get spun as the iPhone is extremely insecure, and has been "broken into", causing normal people to steer very clear.


          Doesn't the price tag already do that?
          • by galimore (461274)
            Apparently not, since I bought 2. ;)

          • Ummmm..... (Score:4, Insightful)

            by HeavyDevelopment (1117531) on Tuesday July 03, 2007 @03:39PM (#19735421)
            When you have spent $350 on an iPod, $2500 on a MacBook Pro and $3500 on a Mac Pro--$500 to $600 on an iPhone is peanuts. Yummmm.....that Kool aid sure tastes good!!!
        • Re: (Score:3, Insightful)

          by SeaFox (739806)

          In the mainstream, this can easily get spun as the iPhone is extremely insecure, and has been "broken into", causing normal people to steer very clear.

          Its common knowledge Windows is extremely insecure, yet I don't see people steering clear of it.
    • Re: (Score:3, Interesting)

      IIRC, if the iPhone uses NetInfo like MacOS X does on Macs, that password might be usefull only in single user mode.
      • Re: (Score:2, Informative)

        by owsla (78381)
        Indeed, NetInfo is probably in place since the complete /etc/passwd has a comment suggesting such at the top:

        # User Database
        # Note that this file is consulted when the system is running in single-user
        # mode. At other times this information is handled by lookupd. By default,
        # lookupd gets information from NetInfo, so this file will not be consulted
        # unless you have changed lookupd's configuration.
        nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
        root:XUU7aqfpey51o:0:0::0:0:System Administrator
        • by hatchet (528688)
          >john-mmx iphone.pwd
          Loaded 2 password hashes with 2 different salts (Traditional DES [64/64 BS MMX])

          alpine (mobile)
          dottie (root)
          guesses: 2 time: 0:00:00:31 (3) c/s: 685650 trying: dewMso - dotty1

          mobile password was gotten instantly (in first second)
          30secs using john the ripper with no special word files or anything.

          http://www.openwall.com/john/ [openwall.com]
    • by Anonymous Coward
      we read a story about a password to a user account on a phone and don't find that odd at all...
    • by Dahamma (304068) on Tuesday July 03, 2007 @12:27PM (#19732871)
      Since iPhones don't have any kind of access that makes this "discovery" meaningful

      That pretty much sums up how useless this article was.

      By the way, if anyone wants it, you can have the combination to my luggage.
      • by m0nkyman (7101) on Tuesday July 03, 2007 @12:40PM (#19733041) Homepage Journal
        If it isn't one of the following I'd be shocked:
        123 000 999 666

        Those four will open 99% of all luggage in the world that doesn't contain a laptop, cash or a gun.
        • Re: (Score:2, Funny)

          Guess I better change my ATM pin.
        • Re: (Score:3, Funny)

          by dave562 (969951)
          Those four will open 99% of all luggage in the world that doesn't contain a laptop, cash or a gun.

          And 23% of those that do? And 69% of those that contain two of the three? And what percent of statistics are complete bullshit again?

          • Re: (Score:3, Insightful)

            by m0nkyman (7101)
            And what percent of statistics are complete bullshit again?

            100% would be my guess, provided we're dealing with the specific subset of 'statistics used during discussions on online forums'.
        • by Anonymous Coward on Tuesday July 03, 2007 @05:13PM (#19736601)
          Those four will open 99% of all luggage in the world that doesn't contain a laptop, cash or a gun.

          I don't get it. What world doesn't contain a laptop, cash, or a gun, and yet has luggage?

    • "and a lot of peoples' desire to tear it down or create any FUD they can to dissuade interested people from possibly buying an iPhone "

      From what I've seen, it's less about dissuading people to buy phones and more about illustrating the hypocrisy. Take any fanboy debate (Sony vs. Nintendo, Star Wars vs. Star Trek, Garbage Pail Kids vs. Baseball cards) and you'll generally find that the behaviour is the same on BOTH sides. You'll praise things that one side does that you'll chastise the other for. Do this
  • Whoo-hoo (Score:5, Funny)

    by gtrubetskoy (734033) * on Tuesday July 03, 2007 @12:05PM (#19732575)
    Now we can make phone calls as root!
  • by Space cowboy (13680) * on Tuesday July 03, 2007 @12:05PM (#19732581) Journal
    If Apple consider it important (ie: if there actually *is* a use for this, rather than just a false trail, or if they want to make people think that), all they need to do is update the values and/or system libraries in the next software update. They could even change the encryption *mechanism* to make it pretty-much un-brute-forceable if they wanted to. I doubt they need to do that though, just change it to a 31-character string with punctuation/digits etc.

    Whereas this *is* news (hell, I'd submit it!), I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.

    Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market. It only *benefits* them if there are more used phones in circulation running OSX - even if it was a hand-me-down from the big-brother/sister who went and bought the new one...

    If this truly is the "third leg" of Apple's business, someone will get yelled at internally, and the next update will fix it. End of story.

    Simon.

    • by numbski (515011) *
      Now, understand something here - I don't own an iPhone.

      Now that we have that out of the way, if you have a unix system or device, and you have physical access to the system, don't know the root password, and we'll pretend for the moment that you can't drop it to single user mode, how do you get in?

      Usually? If it's a filesystem you can read, mount said filesystem on another box, change the passwd file, and update any shadow files/database files. Now, I would HOPE that apple didn't go porting the entire net
      • Re: (Score:3, Insightful)

        by Space cowboy (13680) *
        DMG's are encrypted with AES (at least I'm reasonably sure that's the case). The options on 'Disk Utility' when you select encryption are 'none', '128-bit', and '256-bit'. Given that they opted for an encrypted DMG in the first place, and that mounting this (and copying to flash) is not a common operation, I'd guess they went for the 256-bit key.

        If so, that's going to take a while to break [grin]. On Leopard (and I'm guessing Apple engineers will be using Leopard :-) there's an indication of how good the ch
        • by spotter (5662) on Tuesday July 03, 2007 @12:34PM (#19732957)
          you don't go after breaking the password, you go after finding where apple stored it. If it's encrypted, the iphone has to be able to decrypt it, therefore has to have the password available.

          see how the original xbox hacker (whose name I forget) captured it's encryption key by "simply" (yeah, not that simple) monitoring the bus.
          • by numbski (515011) *
            That would make a jtag connector that much more useful one would think then....right?
          • by mhall119 (1035984)

            you don't go after breaking the password, you go after finding where apple stored it. If it's encrypted, the iphone has to be able to decrypt it, therefore has to have the password available.

            It doesn't usually work that way. Usually passwords are one-way encrypted (or hashed), meaning there is no way to decrypt them. What the OS does it take the password you supplied, encrypt it using the same method, then compare the encrypted string to the stored encryption string of the actual password. That way even the OS itself never needs to know what the actual password is, and it is never available anywhere as clear-text.

    • by Leto-II (1509) <slashdot,4,tobye&spamgourmet,com> on Tuesday July 03, 2007 @12:26PM (#19732867)

      I'd submit it!

      Is this like the geek equivalent of the frat-boy phrase, "I'd hit it!"?
    • by 0xdeadbeef (28836) on Tuesday July 03, 2007 @01:07PM (#19733403) Homepage Journal
      I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.

      Then you understand nothing. The iPhone critics are thinking "this is a fully-fledged handheld computer, running the same operating system as my laptop, that has been intentionally crippled to protect the artificial market segmentation desired by AT&T and Apple."
    • by SuperBanana (662181) on Tuesday July 03, 2007 @01:18PM (#19733599)

      Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market.

      Except they don't do it for iPods. Each new "generation" of the iPod has run a different firmware *and* had different capabilities, like being able to search. The older iPods never got the functionality of the newer ones, ever. Clickwheel iPods can't "search", nor do they get the newer iPod games, etc. This is just like digital camera manufacturers, home network gear makers, etc. Very, very, very rarely do they take advantage of the firmware updates to increase functionality in any way. Why should they, when they can make you but version N+1?

      Most of the time they update the iPod firmware only to give it compatibility with the latest iTunes, and these days, the only updates to iTunes are security fixes and bloat (the glorified pedometer, Apple TV, the iPhone, etc. Anyone else remember when you could sync contacts and appointments onto your iPod through iSync?) My second-gen nano (or Mini, or whatever the hell it's called these days) still crashes 50% of the time when I go to play a podcast after syncing it with my mac. I'm not holding my breath waiting for them to fix it.

      • by voidptr (609) on Tuesday July 03, 2007 @01:41PM (#19733891) Homepage Journal

        Except they don't do it for iPods. Each new "generation" of the iPod has run a different firmware *and* had different capabilities, like being able to search. The older iPods never got the functionality of the newer ones, ever. Clickwheel iPods can't "search", nor do they get the newer iPod games, etc. This is just like digital camera manufacturers, home network gear makers, etc. Very, very, very rarely do they take advantage of the firmware updates to increase functionality in any way. Why should they, when they can make you but version N+1?

        Most iPods have radically different hardware than the previous generation too. In addition, there's some accounting rules that come into play with adding functions to something you already shipped and booked the revenue for. Once I've sold you a widget, if I spend any more engineering time to add something to it, I have to find revenue that pays for that somewhere. It's not a problem with OS X, because the $129 Leopard upgrade pays for the engineering in Leopard, not the revenue they already booked and reported when I bought the Mac in the first place.

        Apple stated on their last quarter conference call they're changing the way they book AppleTV and iPhone revenues to spread it out over 8 quarters, so they don't have that problem. Even though they get $600 today for an iPhone sold, they don't actually put the whole thing in the books right away as recognized revenue, they apply it over the next two years to ongoing engineering for existing units. Exactly what they'll do with that ability remains to be seen, but they've at least publicly stated their intent to improve the platform for early adopters.
    • by Marton (24416)
      I think a lot of people criticizing the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies

      No, too many people did. Like the valet that brought my car up when I was checking out from a hotel on Sunday. "Hey, you got the iPhone! Do you really think it will make laptops go away?"

      The iPhone is not the first convergence device, nor is it unique in any aspect. I don't know why people wou
  • Passwords (Score:3, Informative)

    by Anonymous Coward on Tuesday July 03, 2007 @12:07PM (#19732607)
    The password for root is "alpine"
    The "mobile" user accounts password is "dottie"
  • by whisper_jeff (680366) on Tuesday July 03, 2007 @12:11PM (#19732673)
    ...or could have been included to create a 'false trail' for hackers."

    Or it was created to generate topics on Slashdot when it's discovered...
  • Root user... (Score:4, Insightful)

    by God of Lemmings (455435) on Tuesday July 03, 2007 @12:12PM (#19732683)
    Perhaps this would be somewhat alarming if there was a root
    user enabled in OS X to begin with.
  • Netinfo? (Score:5, Informative)

    by Anonymous Coward on Tuesday July 03, 2007 @12:16PM (#19732727)
    I know I'm just an AC - so this will get modded waaaaaay down, but:

    This isn't the password for the running account - you'd have to boot the phone into single-user mode. The running passwords would be stored in Netinfo.

    This is going to turn into a lot of FUD....
    • Re: (Score:2, Informative)

      by Anonymous Coward
      Here's a good description of how and where passwords are stored in OS X using netinfo

      http://www.dribin.org/dave/blog/archives/2006/04/2 8/os_x_passwords_2/ [dribin.org] ....seriously - this is an issue - but even if there was a terminal app right on the main screen of the darn phone - they still couldn't log in with it. ....THEY NEED TO GET INTO NETINFO!
  • by Itninja (937614) on Tuesday July 03, 2007 @12:17PM (#19732749) Homepage

    "...or could have been included to create a 'false trail' for hackers."
    If this really is a honeypot 'password', that'd be pretty cool. They should have some code that will covertly download the entire Jim Neighbors catalog whenever the root password is accessed.
  • phew (Score:5, Funny)

    by packetmon (977047) on Tuesday July 03, 2007 @12:21PM (#19732783) Homepage

    Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
    alpine (mobile)
    dottie (root)
    guesses: 2 time: 0:00:00:16 (3) c/s: 551883 trying: royour - b1o2w8
    For a second I was imagining the hoRRORble marketing money they would have had to spend if they would have cracked it and it would have read:

    windows (mobile)
    blows (root)

    or

    gates (mobile)
    sucks (root)
  • ...to run a smear campaign against Apple? I'm sure this will get reported with all the fury of the iTMS metadata, which was blown up huge in media yet those I know who uses it merely shrugged. I'm sure we'll get all the "iPhones are root'ed" with all due reference to what the root account is on a Mac, yet only with a tiny mention that you can't actually do anything with it on the iPhone. Apple and Macs have always been harassed for being too expensive or underpowered or one-buttoned etc. but there's always
  • by sjonke (457707) on Tuesday July 03, 2007 @12:37PM (#19732993) Journal
    The article left out the detail that the reason these passwords won't do you any good is that you only get 3 tries to enter them before your locked out. Goop lick.
  • by nurb432 (527695) on Tuesday July 03, 2007 @12:38PM (#19733009) Homepage Journal
    Shouldn't be hidden from me anyway, its MY phone, i bought it, its MINE.. If i want to do something stupid and brick it in the process, its my choice. ( as long as i don't go and cry to Apple for a free replacement )
    • by mr_spatula (126119) on Tuesday July 03, 2007 @12:46PM (#19733117)
      If it's really YOURS, then why do you have to activate it via AT&T before it can be used, eh?
      • Re: (Score:2, Insightful)

        Thats because USA nickel-and-dime culture sucks.

        Ill probably get the European model. Unlocked from any carrier, and supports better protocols.
        • Is there any sort of law in the EU that prevents mobiles from being restricted to a single carrier? I simply don't see Apple switching to an open model "out of the kindness of their hearts" or some such as it's not nearly as profitable- and I imagine that AT&T would be mighty miffed when the Euro iPhones are imported to the US....and promptly activated with other carriers for their better service and lower price.
          • Re: (Score:3, Informative)

            by Marton (24416)
            No there isn't. Carriers in the EU have been typically too small to try and claim exclusivity in the first place. With Vodaphone and T-Mobile that's changed recently, but Nokia is still doing its best to maintain its brand and the carrier-independence of their products. They've been - fairly successfully - doing the same in the US as well. The iPhone precedent sure isn't helping their cause though.
    • by Achoi77 (669484)
      Perhaps it was just tucked away under the rug because Apple didn't have the time to bother to spend additional money removing it completely. If Apple (or whomever is speaking on it's behalf) is telling the truth and truly it doesn't really do anything, then it's just some clutter. Besides, what's with the passwords anyways? Using whole words, one that starts with the first letter of the alphabet? Not a single number? It's obviously not meant to be hidden that deep.
    • by srvivn21 (410280) on Tuesday July 03, 2007 @03:56PM (#19735693)

      Shouldn't be hidden from me anyway, its MY phone, i bought it, its MINE.. If i want to do something stupid and brick it in the process, its my choice. ( as long as i don't go and cry to Apple for a free replacement )
      It is your phone. If you want to brick it (or sell it, or use it as a hammer), feel free.

      The software that comes with the phone (of which these hidden passwords are a part of) is not yours. You are licensed to use it, post activation.
  • Custom software (Score:3, Interesting)

    by suv4x4 (956391) on Tuesday July 03, 2007 @12:59PM (#19733287)
    Yes, probably this is the default phone password which the phone uses to "autologin" into itself on startup, and as such isn't useful for "hacking" into the phone remotely.

    But you should consider: a) the phone doesn't support custom software b) thousands of geeks who bought the phone want to write apps for it.

    Maybe knowing the root login is a tiny step in that direction, if you get what I mean. I have the feeling we'll be seeing AT&T disabling remotely phones that have been hacked with custom apps. Same as MS did with modded XBOX360.
  • by Anonymous Coward
    Then I guess it is a multiuser system, then several people should be able to login, ah..., make phone call, on the same phone simultaneously. God, this is revolutionary! I have never seen a phone like this.
  • Theories (Score:3, Funny)

    by suv4x4 (956391) on Tuesday July 03, 2007 @01:02PM (#19733331)
    The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers.

    Even better, I suspect this is the major reason Leopard was delayed. iPhone's software was completed all along: all those OSX developers were assigned to create numerous false trails for hackers, on the iPhone.
  • by jmichaelg (148257) on Tuesday July 03, 2007 @01:11PM (#19733477) Journal
    I'm wondering if perhaps Apple wants the phone cracked. AT&T doesn't control activation, Apple does. If the phone is cracked then people could buy an iPhone and if another carrier was willing, activate it with some other carrier than AT&T. There are lots of people out there who can't stand AT&T so it's not as if we're only talking about 2 or 3 hackers doing this.

    Jobs could play the innocent claiming that hackers did it all the while happy that yet another iPhone went out the door.
  • from full-disclosure (Score:3, Informative)

    by shivan (12148) <slashdot@NOSpAM.hype.be> on Tuesday July 03, 2007 @01:15PM (#19733545) Homepage
    Re: [Full-disclosure] iPhone Security Settings

    From: Erik Tews (e_tewscdc.informatik.tu-darmstadt.de)
    Date: Sun Jul 01 2007 - 17:20:37 CDT

        * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Am Montag, den 02.07.2007, 00:07 +0200 schrieb Fabio Pietrosanti (naif):
    > There are a couple of user with their password:
    >
    > root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
    > mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
    >
    > Does someone have some time to arrange a quick john session (should be
    > quick)?

    Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
    alpine (mobile)
    dottie (root)
    guesses: 2 time: 0:00:00:16 (3) c/s: 551883 trying: royour - b1o2w8

    Yes, it was quick

  • Like MacOS X? (Score:3, Insightful)

    by iso-cop (555637) on Tuesday July 03, 2007 @01:42PM (#19733905)
    If the iPhone OS handles root in the same manner as MacOS X, then the root user would have to be enabled somehow before anyone could use the account anyway. So, show me how to hack the password and enable the account, then write an article that is more than FUD.
  • by CompMD (522020) on Tuesday July 03, 2007 @02:57PM (#19734927)
    So since the firmware restore image is out in the open, is it possible to emulate an ARM CPU in QEMU and boot the image? That would be interesting to find out.
    • by GreyWolf3000 (468618) on Tuesday July 03, 2007 @05:34PM (#19736831) Journal
      It's one thing to emulate a CPU, it's quite another to emulate a CPU and all of the peripherals that are attached to it. It's also another stretch to get all of them configured in such a way that what you're emulating is binary compatible with the host firmware. Especially if you have peripherals sitting on the same die as the ARM processor running off of asynchronous clock domains.

      I think there's a company that managed to develop a software emulator for TI omap chips...I never had a chance to try it and see if it works.

  • "dottie" & "alpine" (Score:3, Informative)

    by circusboy (580130) on Tuesday July 03, 2007 @04:25PM (#19736031)
    there was a story about this yesterday somewhere...
    ah,http://launchr.blogspot.com/2007/07/iphones-pas sword-is-dottie-and-alpine.html [blogspot.com]
  • So... (Score:3, Insightful)

    by shish (588640) on Tuesday July 03, 2007 @05:19PM (#19736671) Homepage
    So we have a username and password, great. Now where's the login prompt?

Save gas, don't use the shell.

Working...