Forgot your password?
typodupeerror
Worms Security Apple

First iPhone Worm Discovered, Rickrolls Jailbroken Phones 215

Posted by Soulskill
from the maximum-threat dept.
Unexpof writes "Users of jailbroken iPhones in Australia are reporting that their wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley. This is the first time a worm has been reported in the wild for the Apple iPhone. According to a report by Sophos, the worm, which exploits users who have installed SSH and not changed the default password, hunts for other vulnerable iPhones and infects them. Users are advised to properly secure their jailbroken iPhones with a non-default password, and Sophos says the worm is not harmless, despite its graffiti-like payload: 'Accessing someone else's computing device and changing their data without permission is an offense in many countries — and just as with graffiti there is a cost involved in cleaning-up affected iPhones. ... Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.'"
This discussion has been archived. No new comments can be posted.

First iPhone Worm Discovered, Rickrolls Jailbroken Phones

Comments Filter:
  • by dingen (958134) on Sunday November 08, 2009 @11:33AM (#30022058)
    The problem is not in the jailbreaking or unlocking of the phone. The problem is people installing OpenSSH but not changing the password (which it does ask you to) and thus allowing SSH-connections to their phone by everyone.
  • mobile account user (Score:1, Interesting)

    by Anonymous Coward on Sunday November 08, 2009 @11:50AM (#30022226)

    There is also the "mobile" account username, which uses the same default password. It seems like this could also be vulnerable.

  • Re:So... (Score:4, Interesting)

    by Anonymous Coward on Sunday November 08, 2009 @12:04PM (#30022364)

    I am reminded of those "I'm a Mac, and I'm a PC" commercials. So, Mac's "little brother" I guess is susceptible to the same plagues PCs are.

    Dude . . . it has nothing to do with Mac security. They've installed a third party application on their iPhone -- a service, no less. It's like giving out your house key to everyone, then complaining about how ineffective your house locks are. There are a couple of security practices being ignored by the end user here -- and these are users that, knowing how to jailbreak an iPhone, should know better.

    1. Never leave a default password.

    2. Never install a service if you don't need it. (Okay, maybe some DO need it, but I doubt all of them.)

    The same applies to Windows. Windows is riddled with security problems, hence 75% of windows viruses still work, whereas less than .001% of mac viruses still work (if even that). But even so, many "security problems" in Windows are not the fault of Windows, but of the user running it. It doesn't matter how perfect your burglar alarm is if you don't turn it on.

    On a lighter note:

    Dark Helmet: "Give us the combination to the air shield!"

    King Roland: "All right! All right. It's 1-2-3-4-5."

    Dark Helmet: "That's the stupidest combination I've ever heard in my life! That's the kind of combination an idiot would have on his luggage."

    [enter president Skroob]

    President Skroob: "Did you get the combination to the air shield?"

    Dark Helmet: "Yes! It's 1-2-3-4-5."

    President Skroob: "That's amazing! I have the same combination on my luggage!"

    Mel Brooks FTW.

  • Re:DEFAULT PASSWORD? (Score:5, Interesting)

    by argent (18001) <peterNO@SPAMslashdot.2006.taronga.com> on Sunday November 08, 2009 @12:08PM (#30022392) Homepage Journal

    Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?

    Once you're running an IP stack, you'd have to make a deliberate and non-trivial effort to prevent direct connections, no?

  • by tgd (2822) on Sunday November 08, 2009 @12:38PM (#30022716)

    SSHD isn't on jailbroken phones.

    The jailbreak installs very little by default. Only users who installed SSHD deliberately, leave it running all the time, and didn't change the password are impacted.

    Lots of hype, not as big of a deal as it seems. (And, frankly, wouldn't be a big deal if Apple would open up enough of their APIs for the typical apps most people seem to use when they are Jailbroken could work...)

  • by bhartman34 (886109) on Sunday November 08, 2009 @12:43PM (#30022762)
    In the case of WebOS, you have to be careful with the term "jailbreak". The process for WebOS is nothing remotely similar to what you have to do with an iPhone. In WebOS, it's a simple matter of entering one of two codes.

    The other difference, of course, is that Palm wants people to hack on the Pre (and soon, the Pixi) as much as possible. They encourage the homebrew community, and don't even clamp down on apps that Sprint would prefer to not have on their phones like MyTether. (Sure, they don't have MyTether in the App Catalog, but they could easily prevent it from being installed altogether, if they had a mind to.)

    As far as the original article, the really unfortunate thing is that Apple's likely reaction to this will be, "So? We told you not to jailbreak your iPhone!" It will lend some (false) legitimacy to the idea that jailbreaking an iphone is wrong, which will only help Apple lock down iPhones further in the future.

    And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.
  • by J.Y.Kelly (828209) on Sunday November 08, 2009 @01:08PM (#30023038)

    It depends when you last jailbroke your iPhone. I did a jailbreak early on. I installed openSSH and changed the default password. I then found out that the phone entered an infinite loop of restarting the home screen and had to be forcibly restored.

    The problem appears to be that the passwd binary on the phone is (deliberately?) broken so it generates incorrect hashes for the password entered. If you actually want to change your password then you need to jump through some hoops [matsimitsu.nl] to change it without using the usual passwd command.

  • by Tapewolf (1639955) on Sunday November 08, 2009 @03:19PM (#30024178)
    Depends on the version of the OS and policy of the device maker, I think. A few years back I was developing against a Nokia E61 which ran S60r3 (i.e. Symbian 9) and it could only run signed binaries, which made testing on real hardware a nightmare. My understanding was that they got tough with this in version 9 - earlier versions (like the S80 communicator I had before) would happily run unsigned apps.
  • by Anonymous Coward on Sunday November 08, 2009 @04:12PM (#30024596)

    I never got instructions for changing password using SSH from downloading the daemon or the terminal app...I knew how to do it, since it's the same as doing it on a Linux machine, but there was nothing telling me how...

What this country needs is a good five cent microcomputer.

Working...