Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
HELP: I think my iPad was hacked overnight ** pls help :(
- Thread starter Smittay
- Start date
- Sort by reaction score
what are you talking about?? i dont even know what patched means?? was this taken care of in an ipad software update, if so please give me the number so i can have it fixed...
---------- Post added at 04:14 PM ---------- Previous post was at 04:11 PM ----------
PS - i just got off the phone with Amazon.com cause one of the items shipped from a 3rd party store,
they said that "1-click shopping" was turned on,
so all the hacker had to do was click it and not enter my password for items!!!
that is ALSO why he was not allowed to change the shipping address, cause he didn't have my password and "1 click shopping" was on.... thank God for that.
---------- Post added at 04:16 PM ---------- Previous post was at 04:14 PM ----------
munkery that is so uncalled for, i made a duplicate thread in the apple.com ipad boards and someone posted that PDF article to me, trying to help... im only trying to gather information to fix this -- and to make sure it doesnt happen to anyone else... thanks for being mean and calling me an illusionist. i have done nothing to you except ask for help, thanks...
Patched means fixed. See previous post about staying up to date.
Also, I do not believe Comex has released the source code for that exploit so it is highly unlikely that it was used even if you were not up to date.
Sure, the attacker with physical access only had to "click it."
Who had physical access?
Knowledgeable users here have been trying to help by telling you it was someone with physical access to the iPad.
Upon that suggestion, your story evolved to support the implausible scenario you provided. It seems like BS.
ok.. just dont be mean okay?? im trying my best here to get to the bottom of it...ok? thanks for your help
the only one with physical access is my wife... she was the only one with me, she knows the passcode, house was locked
i know ill be made fun of, but she is totally computer/ipad illiterate, she can barely use amazon and was right with me talking at 10am in bed, while people were ordering stuff from amazon, ipad was in nightstand drawer..
go with the jokes about my spouse, but im just telling the truth about everything...
1. Scroll through all your home screens and folders to see if an app with a brown icon named Cydia is installed
2. Check your settings, is there an additional set of settings there that isn't usually? (I'm not jailbroken at the moment so help me out with that those are guys)
3. Check the configuration of the router, is any port forwarding setup? Are there any unknown computers listed in any of the logs?
4. what version of iOS are you using? if 4.3.5 it is extremely unlikely you were hacked.
5. On your home network open up a Terminal on your Mac when your iPad is connected to the Wifi, check what IP address your iPad is assigned and then type in terminal:
ssh root@xxx.xxx.xx.x
(replace the X's with your iPad's IP address)
If that prompts you for a password or says something about an unrtrusted key instead of just timing out then you have SSH running on a default port and are somehow jailbroken. If it times out it means you are either not jailbroken or the hacker was smart enough to install SSH on a non standard port.
WEP is easy to crack so it is quite plausible that someone joined your network and sniffed out your Amazon session BUT even then it would be using https, which would prevent a straight forward hack so they couldn't just hijack your session. A man in the middle attack is possible with https but is quite a sophisticated hack.
I read through a lot in this thread so I can't recall if the browser history on the iPad corresponded with the Amazon purchases?
It is just all so implausible, to accomplish what you are describing all these events would need to take place:
1. You visit a site that uses the same exploit as jailbreakme.com but uses it for malicious purposes, installing SSH and preventing the device from going to sleep
2. Someone cracks your WEP based Wifi Netork and either are just really lucky or they somehow tricked you into visiting the malicious website so they knew to target you
3. They can SSH in and install what packages they want if a VNC server wasn't already installed in Step 1
4. Connect via VNC and use your iPad remotely, they bring up Amazon and see that you are logged in with one click purchasing so go crazy but neglect to change the shipping address either through stupidity or on purpose as they knew you were away from home.
That sounds very, very, very far fetched hence all the people doubting your story on here.
Now for an extremely personal question... Have your wife and you been having any kind of issues lately? If you didn't somehow make the purchases yourself then the next plausible explanation is she did out of spite or for whatever reason.
Does anyone else know your pin code or potentially have access to the device before it was put to sleep?
It just sounds like someone with physical access has tried to scam you and it wasn't any elaborate hack, as they would have known to do something as simple as clear the browser hoistory.
Anyway gotta run...
2. Check your settings, is there an additional set of settings there that isn't usually? (I'm not jailbroken at the moment so help me out with that those are guys)
3. Check the configuration of the router, is any port forwarding setup? Are there any unknown computers listed in any of the logs?
4. what version of iOS are you using? if 4.3.5 it is extremely unlikely you were hacked.
5. On your home network open up a Terminal on your Mac when your iPad is connected to the Wifi, check what IP address your iPad is assigned and then type in terminal:
ssh root@xxx.xxx.xx.x
(replace the X's with your iPad's IP address)
If that prompts you for a password or says something about an unrtrusted key instead of just timing out then you have SSH running on a default port and are somehow jailbroken. If it times out it means you are either not jailbroken or the hacker was smart enough to install SSH on a non standard port.
WEP is easy to crack so it is quite plausible that someone joined your network and sniffed out your Amazon session BUT even then it would be using https, which would prevent a straight forward hack so they couldn't just hijack your session. A man in the middle attack is possible with https but is quite a sophisticated hack.
I read through a lot in this thread so I can't recall if the browser history on the iPad corresponded with the Amazon purchases?
It is just all so implausible, to accomplish what you are describing all these events would need to take place:
1. You visit a site that uses the same exploit as jailbreakme.com but uses it for malicious purposes, installing SSH and preventing the device from going to sleep
2. Someone cracks your WEP based Wifi Netork and either are just really lucky or they somehow tricked you into visiting the malicious website so they knew to target you
3. They can SSH in and install what packages they want if a VNC server wasn't already installed in Step 1
4. Connect via VNC and use your iPad remotely, they bring up Amazon and see that you are logged in with one click purchasing so go crazy but neglect to change the shipping address either through stupidity or on purpose as they knew you were away from home.
That sounds very, very, very far fetched hence all the people doubting your story on here.
Now for an extremely personal question... Have your wife and you been having any kind of issues lately? If you didn't somehow make the purchases yourself then the next plausible explanation is she did out of spite or for whatever reason.
Does anyone else know your pin code or potentially have access to the device before it was put to sleep?
It just sounds like someone with physical access has tried to scam you and it wasn't any elaborate hack, as they would have known to do something as simple as clear the browser hoistory.
Anyway gotta run...
Were these purchased on a credit or debit card? I'm surprised the transactions weren't flagged as suspicious and blocked. Ordering over $8k worth of stuff in a short period of time is not your (as in the OP) standard buying habits.
This attack would require:
1) Using the jailbreakme exploit without the source would require packet capturing the exploit via visiting and running jailbreakme.
2) Then reversing the exploit so that a malicious variant can be made.
3) Making a malicious website with that variant that is reliable and does not crash during exploitation.
4) Tricking the user to visit that website? How would you do this?
Or, using a MITM attack with DNS spoofing to redirect the target to the malicious website.
5) Jailbreaking the device and installing Cydia so that a remote shell can be installed. How do you remotely install something to get remote access? Part of the payload?
6) Accessing the system remotely via that shell to setup VNC.
7) Remotely using Safari via VNC to purchase items via Amazon.
All this is dependent on the target not being up to date.
It would be easier to:
1) Covertly collect credentials for Amazon via a MITM attack that strips SSL. This is dependent on the target using Amazon while being targeted by a MITM attack.
2) Make Amazon purchases without alerting the target by leaving clues when remotely accessing the iPad because remotely accessing the iPad is not required using this method.
Last edited:
HOLY CRAP MAN THANK YOU SO MUCH !!!!!!
i think this is what happened:
- i am running 4.3.3
- i must have opened a malicious PDF in iBooks or Amazon, or viewed it on the web
- it probably installed jailbreakme on my ipad
- a kid across the street walking with laptop hacked our comcast router on vacation (or somebody else completely different did it)
- then that person went to my amazon.com, where i was signed in with safari and ordered everything using 1-Click, cause i ordered a couple cell phone cases for our new cell phones and it kept me logged in
does that seem plausible at all?? anybody??
i am going to drive to work and do a security update on my computer, then connect the iPad and install 4.3.5 - does this sound right anyone??
i also am going to delete all PDFs from my ipad... the Apple Store Genius told me i had low memory cause tons of apps were running in the background and when he double-clicked the home button only 3 of my apps were running. crap
is there anything else i need to do??? i feel like ripping that Apple Genius and AppleCare iPad guy a new one for being so stupid, obviously they knew about this and never told me ....
thank you everybody, i might get this fixed, smitt !!
---------- Post added at 05:21 PM ---------- Previous post was at 05:18 PM ----------
it was actually only around $4000K, i corrected it in subsequent posts...
and i called credit card company within 30 minutes of the person doing this
so there might not have been time to contact me, i had the card cancel and account flagged by 11:30am.
Still not very plausible.
https://forums.macrumors.com/posts/13167149/
Still most likely someone with physical access.
https://forums.macrumors.com/posts/13167149/
Still most likely someone with physical access.
thanks munkery, im not really sure what you said, but it sounds like this would be very hard to do... and why not just do it an easier way and go to town without using my ipad.... thanks so much for helping me all day munkery, you are an expert...
munkery -- what should i do, should i go to my work and install the 4.3.5 update??? do you think i will be okay since i havent turned the WIFI on the ipad on, on my home network?
thank you so so so so much...
If someone was able to do this, why not hang out at a busy coffee shop and have targets come to you.
Your scenario still doesn't make sense.
Did you find Cydia installed on your iPad?
There is no way to remotely unjailbreak and restore your iPad.
In general and in relation to any computing device:
1) Stay up to date.
2) Do not use public or insecure Wifi for security sensitive online activities unless you are able to manually verify the digital certificate of websites with security sensitive logins.
3) Do not let shady people have physical access to your computing device.
Your scenario still doesn't make sense.
Did you find Cydia installed on your iPad?
There is no way to remotely unjailbreak and restore your iPad.
In general and in relation to any computing device:
1) Stay up to date.
2) Do not use public or insecure Wifi for security sensitive online activities unless you are able to manually verify the digital certificate of websites with security sensitive logins.
3) Do not let shady people have physical access to your computing device.
but munkery, couldnt i have opened a malicious PDF by mistake and then had jailbreakme installed and given access and control of my 4.3.3 version iPad to them? letting them order stuff from amazon, if it was in my history?
You would have know if jailbreakme 3 was being installed. You would have been kicked out of the current app (Safari) and dropped to the homescreen and saw Cydia being loaded like an App Store app. You were not hacked. The PDF exploit was not used upon your iPad.
After Cydia is installed, a local user would have to use Cydia to install the remote shell before the attacker could use that remote shell.
Did you install a remote shell using Cydia on your apparently unjailbroken iPad?
I don't think so.
Last edited:
This still seems very implausible as two separate events have to take place:
1. You somehow need to open a PDF with the exploit
2. The attacker has to hack your wifi and gain LAN access to your iPad
For 1 can you ever recall surfing the web and some strange PDF popping up that you weren't expecting or did your device ever just reboot while surfing? It is extremely unlikely that someone monitored your browsing and predicted you were going to open a certain PDF and perform a man in the middle attack to redirect you to a malicious PDF.
The kind of steps we are talking here is to the level of a professional hacker that has been hired to specifically target you, the level of skills involved is well beyond your typical script kidddie and the types of people that do this do not do hacks like the one you are describing.
Hacking a WEP network is a piece of cake, as long as there is active traffic of some kind on the network it can be hacked in minutes and if the attacker has a card capable of injecting packets then it is even easier.
Another thing you can do is install Tiny Umbrella and check to see if your device has a SHSH device stored in Cydia, if it does then it means you have definitely been jail broken if it doesn't then that doesn't prove anything.
Can you post the history from mobile safari here? What sites were visited? Anything that would help potentially identify the culprit? Someone isn't going to go to all this trouble and do some random web surfing over VNC to your iPad so do the sites visited match the interests of anyone in the house that had physical access?
I think you really need to consider people who had physical access more and not some bizarre hacking incident.
1. You somehow need to open a PDF with the exploit
2. The attacker has to hack your wifi and gain LAN access to your iPad
For 1 can you ever recall surfing the web and some strange PDF popping up that you weren't expecting or did your device ever just reboot while surfing? It is extremely unlikely that someone monitored your browsing and predicted you were going to open a certain PDF and perform a man in the middle attack to redirect you to a malicious PDF.
The kind of steps we are talking here is to the level of a professional hacker that has been hired to specifically target you, the level of skills involved is well beyond your typical script kidddie and the types of people that do this do not do hacks like the one you are describing.
Hacking a WEP network is a piece of cake, as long as there is active traffic of some kind on the network it can be hacked in minutes and if the attacker has a card capable of injecting packets then it is even easier.
Another thing you can do is install Tiny Umbrella and check to see if your device has a SHSH device stored in Cydia, if it does then it means you have definitely been jail broken if it doesn't then that doesn't prove anything.
Can you post the history from mobile safari here? What sites were visited? Anything that would help potentially identify the culprit? Someone isn't going to go to all this trouble and do some random web surfing over VNC to your iPad so do the sites visited match the interests of anyone in the house that had physical access?
I think you really need to consider people who had physical access more and not some bizarre hacking incident.
While the OP's story may or may not be true, I don't see any justification for dismissing the exploit linked to upthread. From what I understand, after reading the BSI press release, this exploit has only been recently identified and differs from the one out in 2010. It also states that it can be used to grant administrative privileges. (As for tricking people to visit malicious websites, it's not uncommon. I mean, I'm not a complete idiot, and I almost clicked on a pretty sophisticated Visa phishing email today.) If the central IT security service provider for the federal government in Germany is releasing a press release about it and says they're in talks with Apple for issuing a patch, I'm inclined to believe them.
However! It seems unlikely that this is what happened to the OP. As jaseone stated, the hacker(s) would have to be on your wifi network and get you to open a PDF while you are at this specific location. To go to these lengths just to order a couple thousand bucks' worth of stuff off Amazon seems to me to be a disproportionate amount of effort.
I think there's more. At any rate, it's livened up my Friday afternoon somewhat. Especially the mysterious character with a laptop. If he had one arm, I'd say we're ripe for a TV adaptation here. Not to trivialize your problems, OP, but at least your immediate danger has passed with a minimum amount of harm done.
However! It seems unlikely that this is what happened to the OP. As jaseone stated, the hacker(s) would have to be on your wifi network and get you to open a PDF while you are at this specific location. To go to these lengths just to order a couple thousand bucks' worth of stuff off Amazon seems to me to be a disproportionate amount of effort.
I think there's more. At any rate, it's livened up my Friday afternoon somewhat. Especially the mysterious character with a laptop. If he had one arm, I'd say we're ripe for a TV adaptation here. Not to trivialize your problems, OP, but at least your immediate danger has passed with a minimum amount of harm done.
Last edited:
It may be possible that the payload was switched from Cydia to OpenSSH. Thereby, negating the presence of Cydia.
But, still not likely.
Reversing and writing a new exploit from a reversed exploit taken from the wild require a level of skill that could earn an individual a good legitimate living.
There are so many easier target in this regard to bother attacking iOS.
If I were going to partake in this sort of crime, I would develop a good string of exploits to target not fully patched Windows systems and then I would hang around busy public wireless locations to gather targets.
Even this type of cyber crime is not that very common. Why not inject malicious code into legitimate websites and stay at home instead?
Going after iOS in the manner you present is just not practical.
Criminals do partake in some cost benefit analysis.
But, still not likely.
Reversing and writing a new exploit from a reversed exploit taken from the wild require a level of skill that could earn an individual a good legitimate living.
There are so many easier target in this regard to bother attacking iOS.
If I were going to partake in this sort of crime, I would develop a good string of exploits to target not fully patched Windows systems and then I would hang around busy public wireless locations to gather targets.
Even this type of cyber crime is not that very common. Why not inject malicious code into legitimate websites and stay at home instead?
Going after iOS in the manner you present is just not practical.
Criminals do partake in some cost benefit analysis.
iDevices don't need to be jailbroken to have their SHSH blobs saved to Cydia. TinyUmbrella can request them via Cydia. Although the request through Cydia function has been broken as of iOS 4.3.3.
Yea, but my point was that if Tiny Umbrella finds one then it has been jail broken some time in the past but if it doesn't that doesn't prove anything.
I have iOS 3.1 and 3.1.2 SHSH blobs for my 3Gs. It wasn't jailbroken at all during the time Apple was signing them. Having SHSH blobs doesn't mean it was ever jailbroken.
Are they stored in Cydia though? That is what I was trying to say, that if Cydia has the blobs then at some stage the device must have been jail broken to visit Cydia. I know you can store the blobs without jail breaking.
Yes, they are on Cydia. TinyUmbrella got the 3.1 blobs via Cydia. Because of this, I've never seen the "Make my life easier" button on my 3Gs.
While i doubt the OP is lying here i seriously don't think the "hack" itself was a case of someone hacking the wifi and the iPad. I'm talking from experience here when i say there are just to many technical obstacles to overcome to make it worthwhile for whoever wanted to do this. The hacker would have had an easier time quietly breaking into the house and getting physical access to the thing as you slept.
Remember the guy didn't anticipate the issue of your Amazon delivery address (which would be a hell of an oversight from someone smart enough to pull off something this elaborate)
Unless your iPad was jailbroken etc etc as already said, the most likely answer is SOMEONE had physical access to it.
I'd reformat and set your iPad up from scratch, and also check your door locks etc!
You mention over 150 visited websites were found on your History, where did this person visit? Do you remember which pages were open?
Remember the guy didn't anticipate the issue of your Amazon delivery address (which would be a hell of an oversight from someone smart enough to pull off something this elaborate)
Unless your iPad was jailbroken etc etc as already said, the most likely answer is SOMEONE had physical access to it.
I'd reformat and set your iPad up from scratch, and also check your door locks etc!
You mention over 150 visited websites were found on your History, where did this person visit? Do you remember which pages were open?
thank you everybody for your help....i am about to drive to my work to sync this to 4.3.5
if i dont want to open my ipad on my home network (airplane mode - no WIFI or 3G) is there a way to tell you some of the sites they visited in my history?? or do i just have to look at them one by one and type them in here on my laptop??
i know you can take screen shots, but i forget how... i assume i would have to connect my ipad to my WIFI or 3G network to send them as email attachments or is there an easier way??
thanks guys, this is all coming full circle almost... smitt
You would just have to take screenshots by holding the home button and pressing the power button or manually write them down.
It was more in general as to what types of sites were accessed as like I said nobody is going to do general surfing in that manner.
It was more in general as to what types of sites were accessed as like I said nobody is going to do general surfing in that manner.