Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Worms Security Apple

First iPhone Worm Discovered, Rickrolls Jailbroken Phones 215

Posted by Soulskill
from the maximum-threat dept.
Unexpof writes "Users of jailbroken iPhones in Australia are reporting that their wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley. This is the first time a worm has been reported in the wild for the Apple iPhone. According to a report by Sophos, the worm, which exploits users who have installed SSH and not changed the default password, hunts for other vulnerable iPhones and infects them. Users are advised to properly secure their jailbroken iPhones with a non-default password, and Sophos says the worm is not harmless, despite its graffiti-like payload: 'Accessing someone else's computing device and changing their data without permission is an offense in many countries — and just as with graffiti there is a cost involved in cleaning-up affected iPhones. ... Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.'"
This discussion has been archived. No new comments can be posted.

First iPhone Worm Discovered, Rickrolls Jailbroken Phones

Comments Filter:
  • by Nimey (114278) on Sunday November 08, 2009 @10:11AM (#30021878) Homepage Journal

    FFS, why is there even a default password on sshd for the jailbroken phones? It should default to being disabled and then require you enter your own password when it's enabled.

    • by stillpixel (1575443) on Sunday November 08, 2009 @10:16AM (#30021926) Homepage Journal
      In the mean time Apple has cut a very handsome check for ikee's services in proving jailbroken phones to be bad bad bad : )
      • the attempts Apple makes to maintain control of devices they have sold are not dissimilar to the fanaticism shown by some of the more unbalanced elements of the user-base. Beyond the pale.

        If their selling strategy for the iPhone was more in line with their competitors, and it could be bought unlocked / without lockdowns on application installation, off-the-shelf as most rivals can, we probably wouldnt need the jailbreaking scene and nor would the virus be spreading this way.
        • by dingen (958134) on Sunday November 08, 2009 @10:33AM (#30022058)
          The problem is not in the jailbreaking or unlocking of the phone. The problem is people installing OpenSSH but not changing the password (which it does ask you to) and thus allowing SSH-connections to their phone by everyone.
          • by Dreadneck (982170)

            The problem is people installing OpenSSH but not changing the password (which it does ask you to)

            Perhaps the makers of OpenSSH should change the first-run behavior to require the user enter a new password in order to prevent this issue?

            • by mat128 (735121) <mat128@@@gmail...com> on Sunday November 08, 2009 @11:53AM (#30022888)

              This isn't OpenSSH developers' problem. The jailbreaking utility should prompt you to change your root password. SSH is only allowing you to remotely log on the device, in the end if your password is weak/default, you shouldn't run an SSH server.

            • by DavidTC (10147) <slas45dxsvadiv.v ... x.com minus berr> on Sunday November 08, 2009 @12:03PM (#30022984) Homepage

              Except there's no into the command line except SSH, and hence no way to change the password.

              'First run' behavior is pretty meaningless when it's a daemon process installed from an interface that doesn't allow it to prompt.

              • Re: (Score:3, Insightful)

                by Anonymous Coward

                'First run' behavior is pretty meaningless when it's a daemon process installed from an interface that doesn't allow it to prompt.

                You mean, There isn't an app for that?

            • Re: (Score:3, Informative)

              Perhaps the makers of OpenSSH should change the first-run behavior to require the user enter a new password in order to prevent this issue?

              No. OpenSSH is a tool for allowing remote access to a host. It is not a password manager, login manager, etc. Such functions are best separated from OpenSSH. Perhaps it would be best if the jailbreak utility prompt for a root password or generate and provide
              the new SSH private key for the root account to allow for ssh key exchange logins and instruct the user to login via SSH to change the root password. Something like that.

            • OpenSSH doesn't have this behavior, it uses your system's normal passwords.. It's the particular Iphone-ported application.

            • by sjames (1099)

              And screw things up for the vast majority of users who aren't doing an incredibly dumb thing like leaving a factory default root password unchanged?

          • by J.Y.Kelly (828209) on Sunday November 08, 2009 @12:08PM (#30023038)

            It depends when you last jailbroke your iPhone. I did a jailbreak early on. I installed openSSH and changed the default password. I then found out that the phone entered an infinite loop of restarting the home screen and had to be forcibly restored.

            The problem appears to be that the passwd binary on the phone is (deliberately?) broken so it generates incorrect hashes for the password entered. If you actually want to change your password then you need to jump through some hoops [matsimitsu.nl] to change it without using the usual passwd command.

            • Re: (Score:3, Informative)

              by BLKMGK (34057)

              Umm except I just did this with no problems? I logged out and back in with new password, no issues. This is on 3.12. what loop issue did you have and how do you go about triggering it? I will test...

        • by bhtooefr (649901) <bhtooefr&bhtooefr,org> on Sunday November 08, 2009 @10:33AM (#30022060) Homepage Journal

          The only rivals that are completely unlocked are Palm OS (which is a joke,) Windows Mobile, and Maemo.

          Android and WebOS do at least allow you to install unsigned apps, but you don't get root access without a jailbreak, and BlackBerry and Symbian both require signed apps and don't even give root to most signed apps. Useful for things like tethering (although not required.)

          • by LurkerXXX (667952)

            I'm not sure why you think PalmOS is a joke. It's a nice Linux varient. The problem with it is it is hobbled by a handicapped SDK at the moment.

          • Re: (Score:3, Insightful)

            by jcr (53032)

            PalmOS isn't a joke, it's just outdated. It did quite well in its time.

            -jcr

          • Re: (Score:3, Interesting)

            by bhartman34 (886109)
            In the case of WebOS, you have to be careful with the term "jailbreak". The process for WebOS is nothing remotely similar to what you have to do with an iPhone. In WebOS, it's a simple matter of entering one of two codes.

            The other difference, of course, is that Palm wants people to hack on the Pre (and soon, the Pixi) as much as possible. They encourage the homebrew community, and don't even clamp down on apps that Sprint would prefer to not have on their phones like MyTether. (Sure, they don't have
            • Re: (Score:2, Insightful)

              by onefriedrice (1171917)

              And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.

              Oh brother. Apple doesn't care what you do with the iPhone, but they do have to close the holes that enable jailbreaking because they're security holes through which Something Bad could go to Do Something Bad. It's one thing to say that Apple is actively against jailbreaking and otherwise doing whatever you want with the phone (a popular and ridiculous notion often bandied about here), but it's quite another thing to realize that they don't care all that much but still have to close the holes. Thinking t

              • by bhartman34 (886109) on Sunday November 08, 2009 @01:51PM (#30023986)

                Apple doesn't care what you do with the iPhone, but they do have to close the holes that enable jailbreaking because they're security holes through which Something Bad could go to Do Something Bad.

                Apple absolutely does care what you do with the iPhone. That's why they've updated the ROM [iphonehacks.com] in newer 3Gs models to prevent jailbreaking.

                If Apple was okay with jailbreaking, and just interested in closing security holes, they would work on those holes, rather than on preventing jailbreaking altogether. (In fact, that's exactly what Palm does do. One of the first methods to install apps on a Pre was to e-mail yourself a link to an application. Palm (rightfully) closed that hole, but left intact the ability to root a Pre.

                And I agree with stillpixel. I wouldn't be shocked if Apple themselves had a hand in this.

                Thinking that Apple someone had a hand in creating this "worm" for jailbroken iPhones is not only considerably misguided (and unfounded), it's utterly moronic.

                I didn't say I believe that Apple had a hand in it. I said I wouldn't be shocked if they did. They've got a vested interest in keeping people from jailbreaking, and this kind of thing (especially because it's relatively innocuous) fits the bill.

            • by bhtooefr (649901)

              I was under the impression that the Konami code just allowed unsigned apps to be installed, not root access.

              http://www.webos-internals.org/wiki/Portal:Accessing_Linux [webos-internals.org]

              • Technically, it's the novaterm application (distributed w/ the SDK) that allows root access to the Pre. But the Pre needs to be in dev mode (w/ the konami code or the newer code) in order for the novaterm application to work.
          • Uuum... on what planet? I developed software for Symbian. And I can install anything I like on the Symbian device. Even modify system files. On Maemo (I presume we're talking about the N900 here, you have root access right there. No jailbreaking. No tricks. Just a shell command to go to root mode. Which is expected,as it's Linux. And not that fake "Linux" that is called Android.)

            • by bhtooefr (649901)

              I'm not disputing Maemo, and I listed that in my list of fully-open to the user OSes.

              But, I was under the impression that S60 3rd Edition had mandatory code signing, and applications only got full root access if the manufacturer of the device signed the program - not if the developer rubberstamped the app, not if the user had the app signed for their device. Maybe I'm wrong, but I haven't seen any evidence to the contrary. (Symbian devices aren't the most common here, and Nokia has never sold a Symbian phon

            • Re: (Score:2, Interesting)

              by Tapewolf (1639955)
              Depends on the version of the OS and policy of the device maker, I think. A few years back I was developing against a Nokia E61 which ran S60r3 (i.e. Symbian 9) and it could only run signed binaries, which made testing on real hardware a nightmare. My understanding was that they got tough with this in version 9 - earlier versions (like the S80 communicator I had before) would happily run unsigned apps.
          • I can't speak for symbian since I have never used it, but you can install unsigned applications on a blackberry, but you will need to specify the level of trust manually.

            In my (limited) experience, Blackberry phones are pretty open.

            • by bhtooefr (649901)

              As of what version of the BB OS? I was under the impression that you had to purchase a signing key (cheap, but still) to sign applications, and even then, there was no root access to the "filesystem," to try to prevent piracy.

              (Palm OS uses security by obscurity on its programs+databases "filesystem," but NVBackup and FileZ break that obscurity rather easily.)

          • by mjwx (966435)

            but you don't get root access without a jailbreak

            Wrong.

            The telco Android ROMs rarely give you root access but all the ADP and most of the community ROMs give you root access out of the box.

            Flashing a new ROM is not jailbreaking any more then re-installing Windows is.

            • by bhtooefr (649901)

              However, IIRC, you don't get to use paid Android Market apps if you get a ROM that allows root.

              Therefore, it becomes a catch-22 - to have root, you either jailbreak, or you don't get paid apps.

          • by dangitman (862676)

            The only rivals that are completely unlocked are Palm OS (which is a joke,)

            Windows Mobile (which is a joke), and Maemo (which is a joke).

            The whole mobile OS landscape seems to be a stand-up comedy club.

    • I have a jailbroken iphone. But othet then the Cydia and ICY applicaions icons which are installed during the redsnow jailbrake I have not deliberately installed any other non-itunes apps. Do I have ssh running but not know it after I jail break?

      If so how to I log into it and change the password?

      • Re: (Score:3, Informative)

        by dingen (958134)
        Only people who deliberately installed OpenSSH through Cydia and didn't change the default password are affect by this "virus". If you haven't installed OpenSSH, you're not a target.
        • Re: (Score:3, Insightful)

          by tgd (2822)

          And on top of that, leave it running.

          SBSettings, folks. Turn it on when you need it. If you're not using it, why leave it on even if you have changed the password?

      • by Anonymous Coward on Sunday November 08, 2009 @10:29AM (#30022034)

        Go to Cydia, manage tab, packages, and see if OpenSSH is on the list of installed packages.

        If it is, download and install a package from Cydia called MobileTerminal.

        Start MobileTerminal, type in "su", then type in the default password "alpine", then type in "passwd", and set a new password (don't use " quote marks " in any of these commands)

      • by lorenlal (164133)
        All it really means is that the creator messed up [encycloped...matica.com].
    • by 99BottlesOfBeerInMyF (813746) on Sunday November 08, 2009 @10:24AM (#30021984)

      ...why is there even a default password on sshd for the jailbroken phones?

      Probably because the people writing an SSH client for a hacked version of a cell phone have little or no incentive to spend time working on details like requiring the user to input a password when the client is installed. Look if you're going to jailbreak your cellphone and start adding network services like SSH, with very limited user types, you should probably have a clue what you're doing in the first place. I put this right up there with people running Apache on their home Windows XP machine and getting compromised when they don't update it regularly.

    • Re: (Score:3, Interesting)

      by tgd (2822)

      SSHD isn't on jailbroken phones.

      The jailbreak installs very little by default. Only users who installed SSHD deliberately, leave it running all the time, and didn't change the password are impacted.

      Lots of hype, not as big of a deal as it seems. (And, frankly, wouldn't be a big deal if Apple would open up enough of their APIs for the typical apps most people seem to use when they are Jailbroken could work...)

    • by v1 (525388)

      one would assume that getting ssh working is part of the jailbreaking process.

      But ya, if you enable ssh and leave the root pw as a default, you deserve a lot worse than a rickrolling...

    • Re: (Score:3, Informative)

      by ceoyoyo (59147)

      The root "account" on an iPhone is the same for all phones but is normally disabled. At least at some points in time, a jailbreak consisted of enabling SSH and that root account. SSHing into your phone using that account was the only way you could to anything else - it WAS the break.

      Admittedly now, with more user friendly jailbreaks, SSH could ask you to change the password when you install it.

    • by BLKMGK (34057) <morejunk4me&hotmail,com> on Sunday November 08, 2009 @12:47PM (#30023414) Homepage Journal

      My phone is Jailbroken but Cydia wasn't on it. I fired up Putty and nope, connection rejected. Tried to install SSH with Rock, it failed claiming that it didn't have Superuser privs. I fired up blacKra1n and installed Cydia. During the install Cydia appeared to install SSH but still no connection. I went in and reinstalled SSH, now I got a connection with the default password. But wait, at the bottom of the SSH install screen where it tells you how to use it they TELL YOU TO CHANGE THE PASSWORD! they also provide you a link to an article detailing HOW TO DO THAT. At this point I already had an SSH connection so I issued a passwd and changed it. TaDa, that hard to do - sheesh! I also installed an interesting little tool called Toggle SSH, gee guess what that does very well? Yup, blocks SSH connections at the press of a button - like a toggle ;-)

      So, I had to jump through hoops to install the damned thing, then I received CLEAR instructions on how to change the default password, AND there's a simple to use FREE program out there that disables it. Obviously it might get installed as part of other things depending upon how you jailbroke but come on, they could not have made this too much easier to fix! If people are getting spanked by this well, perhaps they should have been a little more cognizant when they jailbroke? It's not hard to fix via any computer with SSH on it and you can even load a terminal program local to the phone to fix it....

      • by MrCrassic (994046)

        I'm surprised more people don't keep SSH off when idle; it uses a significant amount of battery power. After turning it off, my battery runtime improved quite noticeably.

        • by BLKMGK (34057)

          Makes sense to me, wondered about that actually. It's off on my machine! Well at least I hope so, the app prevents me from contacting it at least. I'd agree that killing the daemon is a good idea for batt life reasons...

    • Re: (Score:2, Flamebait)

      by BitZtream (692029)

      Because the people writing software packages for jailbroken phones don't actually know very much about what they are doing?

      The just quickly ported SSH and let it use the default passwords, which aren't unique. Which was fine before the phone had anything that used the password file other than UID info. Now that something is authenticating from it, its a bad thing, the fact that its for remote network access makes it a horrible thing.

      There is a reason Apple doesn't want every douche bag in the world to be

  • by MasterOfGoingFaster (922862) on Sunday November 08, 2009 @10:19AM (#30021950) Homepage

    So this worm is aimed at people are are smart enough to jailbreak an iPhone, but stupid enough not to change a default password. Sounds like a narrow band detection device.

    • by Anonymous Coward on Sunday November 08, 2009 @10:32AM (#30022046)

      also this article fails to mention that the worm disables ssh after infecting the device.. therefore kinda cleaning up the problem ..

      • by Andorion (526481)
        I'm surprised the fact that it disabled the service isn't mentioned front and center - that really means it was written as a service to the community and not to be malicious.
    • Re: (Score:3, Informative)

      by ceoyoyo (59147)

      Not exactly. Jailbreaking an iPhone these days isn't what it used to be.

      It doesn't even require the command line anymore.

      • About a month ago, I ran into a girl who was obviously

        a) not a geek, and

        b) would not have a geek boyfriend

        and was carrying a jailbroken iPhone. With the easy GUI that the Dev Team has had for awhile, I think it's at the point where it's possible for mainstream users to do it.

  • by masmullin (1479239) <masmullin@gmail.com> on Sunday November 08, 2009 @10:22AM (#30021964)
    and the iPhone getting rickroll'd

    http://www.youtube.com/watch?v=3KANI2dpXLw&feature=player_embedded#
  • SSH (Score:3, Funny)

    by Lennie (16154) on Sunday November 08, 2009 @10:22AM (#30021968) Homepage
    I thought SSH was created to add more safety. ;-)
  • Similar case (Score:5, Informative)

    by Stratoukos (1446161) on Sunday November 08, 2009 @10:22AM (#30021970)

    Ars technica reported a similar case in the Netherlands about a week ago. A teenage "hacker" replaced the wallpaper with one showing an alert that told the user to give him 5 euros for instructions to remove the "virus". Full article [arstechnica.com]

    • by dingen (958134) on Sunday November 08, 2009 @10:34AM (#30022068)
      As a response to this, T-Mobile is now in the progress of installing firewall software so phones on their network can't communicate with each other, making similiar hacks in the future a lot more difficult.
      • by DavidTC (10147)

        Erm...unless the phone wanders into range of a wifi network, and gets on that, in which case the phone company firewalling the phone network is hardly going to do anything.

        Incidentally, I was unaware that phones actually could communicate with each other over the NAT IPs given out by the phone company. Interesting. That opens up all sorts of interesting concepts...

        • by dingen (958134)

          Erm...unless the phone wanders into range of a wifi network, and gets on that, in which case the phone company firewalling the phone network is hardly going to do anything.

          Of course. But then you're not on their network, so they have no responsibility there.

  • by Virak (897071) on Sunday November 08, 2009 @10:24AM (#30021986) Homepage

    Oh right. [arstechnica.com] Probably someone saw that story too and decided to have a little fun with the same gaping security hole too.

  • Holy Mother of Cheswick.

    What was it, username "FIELD" password "SERVICE"?

    • Re: (Score:3, Informative)

      by MindCheese (592005)

      User: root
      Password: alpine

      Unless you reset it with passwd once you get in (something no guide underscores the importance of, and your typical "ooooh shiny" mass-market Apple consumer won't know), this is the default.

      Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?

      • Re:DEFAULT PASSWORD? (Score:5, Interesting)

        by argent (18001) <[moc.agnorat.6002.todhsals] [ta] [retep]> on Sunday November 08, 2009 @11:08AM (#30022392) Homepage Journal

        Having a default password is bad enough, but my question is: why does the celluar network in Australia permit direct device-to-device connections over the air?

        Once you're running an IP stack, you'd have to make a deliberate and non-trivial effort to prevent direct connections, no?

      • Re:DEFAULT PASSWORD? (Score:4, Informative)

        by ceoyoyo (59147) on Sunday November 08, 2009 @11:56AM (#30022924)

        Actually, most of the jailbreaking guides did make a big deal of changing your password, back when installing SSH was a required part of the process. Apparently when you install SSH through Cydia today it also suggests you change the password. So the people who got hacked ignored a clear warning.

        Once you connect your phone to the Internet, device to device connections are sort of the default. You have to purposely block incoming connections to prevent it.

        • Also those being hacked could be using old firmware versions. Back in the old (1.1.3.) days the passwd command installed with the jailbreak was broken and users were advised [flipsidereality.com] not to use it.

      • Re: (Score:2, Insightful)

        by UnknowingFool (672806)

        For this exploit to occur 3 things must happen:

        1. Consumer must jailbreak phone.
        2. Consumer must install SSH.
        3. Consumer must not reset root password.

        You typical "ooooh shiny" mass-market Apple consumer generally does not do #1 above much less the two other things.

      • by mjwx (966435)

        why does the celluar network in Australia permit direct device-to-device connections over the air?

        Because in Australia Telco's aren't permitted to monitor or interfere with communications using a recognised protocol (SMS, Voice, IP/Data).

  • by OzJD (1613377) on Sunday November 08, 2009 @10:53AM (#30022258)
    Quick spam, But it's a lot more informative http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html [jeltel.com.au] I asked as many questions as I could come up with, and he answerred them all :) Source code is listed on that link as well
  • don't click it! (Score:2, Informative)

    by jmil (782329)
    don't click the link. i was fooled. the posting and comments above are sophisticated hacks to get you to click the link and be rickrolled. the tactic recently attempted here: http://bit.ly/3Xdrd [bit.ly]
  • by TheJodster (212554) on Sunday November 08, 2009 @12:18PM (#30023110) Homepage

    If you are too stupid to change the default password on the SSH server running on your iPhone, you shouldn't have a jailbroken iPhone. You should leave the damn software alone so that Big Daddy Jobs can take care of security for you. Come back and see us jailbreakers when you get to wear your big boy panties.

  • ... you were running Linux^H^H^H^H^H Android
  • > wallpapers have been changed by a worm to an image of '80s pop icon Rick Astley

    I would say that this is a textbook contravention of Article 5 of the Universal Declaration of Human Rights :-)

  • there's no firewall on the iphone?

    glad I own a pre!

    good default iptables ruleset ftw!

  • I think we can no longer use pure "Market Share" as an excuse for the current dearth of malware on Linux platforms. This exploit targets only those who are savvy enough to be able to install sshd on their iphone, yet are too ignorant to know or care that there is a default password that should be changed. That's gotta be a really limited target group, IMHO.
  • The majority of people who jailbreak their phones intially do it just to unlock their iPhones.

    Here in Canada, carriers refuse to unlock even phones paid in full. Not only does it limit the freedom of consumers but since all carriers are in on it, it smacks of collusion.

    Now that there are multiple GSM carriers in Canada (Bell, Telus, Rogers/Fido), I encourage all of my fellow Canadians to write to the CRTC mailto:info@ccts-cprst.ca [mailto] and their local Member of Parliament to force the carriers to provide an

  • I like Rick Astley. He like TOTALLY ROCKS. [youtube.com]

    (quickly ducks)

    RS

Money is the root of all wealth.

Working...