I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

They fail to have you change the root password after everything is done.

For those who do not understand the implications to this, you must really do the following.

1) SSH into your Touch
2) Login as root using default password alpine
3) Once you are in the prompt, type the following command: passwd
4) Follow instructions to complete password change.

Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god. :cool:

If you know what's good for you, you'll change it.

http://www.jinx.com/Content/Product/150p_0c_1b.jpg

Hey thanks! :)

Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.

Darn... the touch dev site is down.. how do you get into your touch again?

I don't have an iPod. ¡Toma! :p :D

I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

They fail to have you change the root password after everything is done.

For those who do not understand the implications to this, you must really do the following.

1) SSH into your Touch
2) Login as root using default password alpine
3) Once you are in the prompt, type the following command: passwd
4) Follow instructions to complete password change.

Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god. :cool:

If you know what's good for you, you'll change it.

http://www.jinx.com/Content/Product/150p_0c_1b.jpg

I tried that command and I got passwd not found

PW Changed. Thanks.

PW Changed. Thanks.

same here! thanks!!

I'm giggling since the topic is for Unix newbs most of whom won't have a clue what root is let alone how to follow step 1 - SSHing in

hmm i keep getting this message when i try to change my password
-sh: passwd: command not found

what am i doing wrong :confused:

I'm giggling since the topic is for Unix newbs most of whom won't have a clue what root is let alone how to follow step 1 - SSHing in

Applespider, you'd be surprised how many newbs learned about / and sshing in the last couple of days! ALSO - Are you the only other girl on this board?!?!
I've never seen a demi-goddess before ;)
Regarding the actual topic, I get a passwd: not found too
GOD SAVE THE NEWBS!

Good point.

For those it isn't working for, ensure you have installed the "Community Sources" package from installer and then "BSD subsystem"

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch

now frankly, this is only s risk if you're on a big public network...but yeah...change it to be safe

nicely done hytech.org

Good point.

For those it isn't working for, ensure you have installed the "Community Sources" package from installer and then "BSD subsystem"

Rebel thanks very much. I was missing BSD subsystem. now I can change my password.

Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.

I would have to disagree that this is unlikely. Its pretty easy to see all the iPods that are logged in to my network right now. changing the root pw is just a good idea. Don't fool yourself by thinking that the chances are slim, just change your passwords ;)

I am getting command not found, I am using putty to get into my ipod. I type passwd as soon as I finish logging in. What am I doing wrong?

I am getting command not found, I am using putty to get into my ipod. I type passwd as soon as I finish logging in. What am I doing wrong?

I have the same problem. :confused:

I have the same problem. :confused:

Help please, what are we doing wrong?

As I said, you need to install the BSD subsystem

As I said, you need to install the BSD subsystem

Thanks for the response, can I find that in the installer app?

Edit:

Forget it I found it under the installer app, thanks again

gg

How do I uninstall this BSD Subsystem now? :mad:

Its indeed a risk, however, don't scare people, they are behind a wireless router, they are not exposing their IPs, you can't connect to them easily.

Sure, if safari has some holes for executable codes, thats a different story.

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch


OK, honestly, what are the odds that will happen?

On top of all that, you have to know the iPod's IP address. And on top of all of that, what's the worst they can do? Steal your music?

The reality is that you can have your iPod's IP address painted on your forehead, visit as many public wifi spots as you can in a day, and you still won't get hijacked.

And if you do get hijacked and someone manages to complete the extremely complicated task of connecting to your iPod, they have to do it in the time that you're in the hotspot.

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car.

...It's not gonna happen.

OK, honestly, what are the odds that will happen?

On top of all that, you have to know the iPod's IP address. And on top of all of that, what's the worst they can do? Steal your music?

The reality is that you can have your iPod's IP address painted on your forehead, visit as many public wifi spots as you can in a day, and you still won't get hijacked.

And if you do get hijacked and someone manages to complete the extremely complicated task of connecting to your iPod, they have to do it in the time that you're in the hotspot.

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car.

...It's not gonna happen.
haha, awesome metaphor..

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car. ...

haha, awesome metaphor..

Actually that's not really an accurate metaphor. The problem being that the root user does not simply give you access to the music but to the entire file system on the IPT. This means someone could mess with the actual programs that run the IPT or simply just delete all the files rendering your IPT useless. Also, its not like finding a car key since the key is already known. Perhaps this is a better metaphor...

You leave your car unlocked in a parking lot. Someone opens the door steals all your CD's. Before leaving they pop the hood and remove your engine.

Regardless, hytech is right changing the root password is a very good idea. Don't fool yourself into thinking connecting to the IPT is complicated. It is actually extremely easy especially to anyone with moderate Linux/Unix experience.

Bottom line change you root password 2 seconds of work now could save you a huge headache later.

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch

now frankly, this is only s risk if you're on a big public network...but yeah...change it to be safe

nicely done hytech.org

Hehe, well said dude. I bet hytech felt proud of himself up until this point.

Hytech, the touch is not a WAP.

Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.

Well if you were at starbucks and had your ipod out and saw somebody else on their ipod, you could scan the starbucks subnet (probably 192.168.1.*, don't know for sure -- I've never used starbucks wifi) and quickly find their ipod...very few laptops/devices have an SSH daemon so you'd know when you found their IP address.

You could steal photos off their ipod, which to me seems like the biggest threat. But also anybody who has jailbroken their iphone might have extra personal information on their that normal iPTs don't have. (Credit cards, passwords, etc.)

I think the OP's advice is really good...everybody should definitely change their password immediately after the jailbreak.

Edit: It would be sweet if we could get nmap on the iPT...

Agreed changing the the root password is good but you (and me) are still walking around with a wireless device that has a remote root TIFF exploit.....

I changed it, entered the same password twice, and now when it enter it, or alpine i get access denied, how do i get back into it? Help please

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch

now frankly, this is only s risk if you're on a big public network...but yeah...change it to be safe

nicely done hytech.org

umm, i can sit at a place with local wifi, sniff traffic, and pwn iPt/iphones.

and yes, you better believe i changed the password to mine.

I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

They fail to have you change the root password after everything is done.

For those who do not understand the implications to this, you must really do the following.

1) SSH into your Touch
2) Login as root using default password alpine
3) Once you are in the prompt, type the following command: passwd
4) Follow instructions to complete password change.

Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god. :cool:

If you know what's good for you, you'll change it.

http://www.jinx.com/Content/Product/150p_0c_1b.jpg
Changed...Thanks for the heads-up...;)

Please Help, I changed the password for ssh for my itouch and now when I try to ssh my iphone it always pops up access denied . What should I do now. I can't ssh my iphone. It only works for my itouch.

Please Help, I changed the password for ssh for my itouch and now when I try to ssh my iphone it always pops up access denied . What should I do now. I can't ssh my iphone. It only works for my itouch.

Did you try restore?

What should I restore??? I think it was because I changed the root password, now I can only ssh my itouch and not my iphone because it uses different ip's. It works with the ip address of my itouch and not the ip address for my iphone.

I honestly have no idea where to start :( I would like to be 100% safe though

How do you enter the command: passwrd with Cyberduck on a mac?

I am lost. I am using WinSCP. Log in to the touch with default password then what. Open Terminal, open command line??
any help would be great. I already installed the BSD app on the touch

you have to acces the Touch via Terminal (Utilities) on your Mac

I'm not sure if need to have OpenSSH installed on the Touch. It can be found in Installer.app.

in Terminal type

1) ssh -l root xxx.xxx.x.x

xxx.xxx.x.x = your Touch IP adress
-l = lower case L (LIMA)

2) enter password = old password = alpine

3) type passwd

4) type in new password (you won't see it on your screen)

5 retype new password

done!

I have to agree with everyone that the likelihood of someone being interested in the root folder on my iPod touch, when there is SUCH fertile ground with all the unprotected laptops everywhere is miniscule to none.

I am fine.

As far as uninstalling the BSD Subsystem, you don't. The only way to reclaim that 6.6meg of valuable application real estate is to restore your iPod and start all over again - this time not worrying about whether someone's gonna mess with your touch over a network. If they do, you simply restore. It's that easy.

you have to acces the Touch via Terminal (Utilities) on your Mac

I'm not sure if need to have OpenSSH installed on the Touch. It can be found in Installer.app.

in Terminal type

1) ssh -l root xxx.xxx.x.x

xxx.xxx.x.x = your Touch IP adress
-l = lower case L (LIMA)

2) enter password = old password = alpine

3) type passwd

4) type in new password (you won't see it on your screen)

5 retype new password

done!

Thanks Qianlong. Will it work on a Winders PC?

Thanks, I got it. Pretty simple once i knew what to do..haha

Rather than changing the password, couldn't you instead just turn off SSH whenever you aren't on a secure network?

I'm not saying this is better than changing the password, but I would assume that nobody could hack into your Ipod if SSH is turned off. Thanks.

For people who are worried about this issue all they have to do is make sure they have the SSH app on their touch, and turn it off. That way no-one can log onto touch to do anything even if by chance they did happen to be on the same network and knew your exact IP address. It's a much easier and neater solution than messing with command line functions.

Cheers!

For people who are worried about this issue all they have to do is make sure they have the SSH app on their touch, and turn it off. That way no-one can log onto touch to do anything even if by chance they did happen to be on the same network and knew your exact IP address. It's a much easier and neater solution than messing with command line functions.

Cheers!

Right, and then you just turn it back on for the 10 mins or so that you want to SFTP to it when you are on a secure network.

That is what I am going to do. Turn in on, do my stuff when I'm on my encrypted network, switch SSH back to off. Then I never have to worry about somebody hacking into my Ipod. They would first have to hack into my network which I think is much more unlikely.