**huge Security Risk** Unix Newbs Read Now!

[hytech dot org]

I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

They fail to have you change the root password after everything is done.

For those who do not understand the implications to this, you must really do the following.

1) SSH into your Touch
2) Login as root using default password alpine
3) Once you are in the prompt, type the following command: passwd
4) Follow instructions to complete password change.

Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god.

If you know what's good for you, you'll change it.

 

[toxicbomber]

Hey thanks!

 

[ebel3003]

Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.

 

[toxicbomber]

Darn... the touch dev site is down.. how do you get into your touch again?

 

[xsedrinam]

I don't have an iPod. ¡Toma!

 

[Quickdood]

I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

They fail to have you change the root password after everything is done.

For those who do not understand the implications to this, you must really do the following.

1) SSH into your Touch
2) Login as root using default password alpine
3) Once you are in the prompt, type the following command: passwd
4) Follow instructions to complete password change.

Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god.

If you know what's good for you, you'll change it.

I tried that command and I got passwd not found

 

[Mystikal]

PW Changed. Thanks.

 

[ipodtoucher]

PW Changed. Thanks.

same here! thanks!!

 

[Applespider]

I'm giggling since the topic is for Unix newbs most of whom won't have a clue what root is let alone how to follow step 1 - SSHing in

 

[specialk]

hmm i keep getting this message when i try to change my password
-sh: passwd: command not found

what am i doing wrong

 

[druranium]

I'm giggling since the topic is for Unix newbs most of whom won't have a clue what root is let alone how to follow step 1 - SSHing in

Applespider, you'd be surprised how many newbs learned about / and sshing in the last couple of days! ALSO - Are you the only other girl on this board?!?!
I've never seen a demi-goddess before
Regarding the actual topic, I get a passwd: not found too
GOD SAVE THE NEWBS!

 

[REBELinBLUE]

Good point.

For those it isn't working for, ensure you have installed the "Community Sources" package from installer and then "BSD subsystem"

 

[Genghis Khan]

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch

now frankly, this is only s risk if you're on a big public network...but yeah...change it to be safe

nicely done hytech.org

 

[druranium]

Good point.

For those it isn't working for, ensure you have installed the "Community Sources" package from installer and then "BSD subsystem"

Rebel thanks very much. I was missing BSD subsystem. now I can change my password.

 

[Arisian]

Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.

I would have to disagree that this is unlikely. Its pretty easy to see all the iPods that are logged in to my network right now. changing the root pw is just a good idea. Don't fool yourself by thinking that the chances are slim, just change your passwords

 

[Quickdood]

I am getting command not found, I am using putty to get into my ipod. I type passwd as soon as I finish logging in. What am I doing wrong?

 

[colonelcack]

I am getting command not found, I am using putty to get into my ipod. I type passwd as soon as I finish logging in. What am I doing wrong?

I have the same problem.

 

[Quickdood]

I have the same problem.

Help please, what are we doing wrong?

 

[REBELinBLUE]

As I said, you need to install the BSD subsystem

 

[Quickdood]

As I said, you need to install the BSD subsystem

Thanks for the response, can I find that in the installer app?

Edit:

Forget it I found it under the installer app, thanks again

 

[bonkiebonks]

gg

How do I uninstall this BSD Subsystem now?

 

[clevin]

Its indeed a risk, however, don't scare people, they are behind a wireless router, they are not exposing their IPs, you can't connect to them easily.

Sure, if safari has some holes for executable codes, thats a different story.

 

[fdmendez]

just a thing

for someone to hack your iPod Touch

1) they need to be on the same network
2) they need to know you're on an Touch
3) they need to know UNIX, and how to access it and another device through the Touch
4) you need to have hacked your Touch

OK, honestly, what are the odds that will happen?

On top of all that, you have to know the iPod's IP address. And on top of all of that, what's the worst they can do? Steal your music?

The reality is that you can have your iPod's IP address painted on your forehead, visit as many public wifi spots as you can in a day, and you still won't get hijacked.

And if you do get hijacked and someone manages to complete the extremely complicated task of connecting to your iPod, they have to do it in the time that you're in the hotspot.

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car.

...It's not gonna happen.

 

[California King]

OK, honestly, what are the odds that will happen?

On top of all that, you have to know the iPod's IP address. And on top of all of that, what's the worst they can do? Steal your music?

The reality is that you can have your iPod's IP address painted on your forehead, visit as many public wifi spots as you can in a day, and you still won't get hijacked.

And if you do get hijacked and someone manages to complete the extremely complicated task of connecting to your iPod, they have to do it in the time that you're in the hotspot.

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car.

...It's not gonna happen.

haha, awesome metaphor..

 

[rad187]

Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car. ...

haha, awesome metaphor..

Actually that's not really an accurate metaphor. The problem being that the root user does not simply give you access to the music but to the entire file system on the IPT. This means someone could mess with the actual programs that run the IPT or simply just delete all the files rendering your IPT useless. Also, its not like finding a car key since the key is already known. Perhaps this is a better metaphor...

You leave your car unlocked in a parking lot. Someone opens the door steals all your CD's. Before leaving they pop the hood and remove your engine.

Regardless, hytech is right changing the root password is a very good idea. Don't fool yourself into thinking connecting to the IPT is complicated. It is actually extremely easy especially to anyone with moderate Linux/Unix experience.

Bottom line change you root password 2 seconds of work now could save you a huge headache later.