**huge Security Risk** Unix Newbs Read Now!

Discussion in 'iPod touch Hacks' started by hytech dot org, Oct 11, 2007.

  1. hytech dot org macrumors newbie

    Oct 11, 2007
    I jailbroke a touch today as security experiment following guides and instructions on this forum. I just want to let you all know that there is a pretty big omission i have seen from all these tutorials.

    They fail to have you change the root password after everything is done.

    For those who do not understand the implications to this, you must really do the following.

    1) SSH into your Touch
    2) Login as root using default password alpine
    3) Once you are in the prompt, type the following command: passwd
    4) Follow instructions to complete password change.

    Here's the deal: If you don't change this, I can SSH into your iphone using the default alpine password - and then play god. :cool:

    If you know what's good for you, you'll change it.

  2. ebel3003 macrumors 6502a


    Jun 20, 2007
    "The Google"
    Good point, but that's up to the user, it's only music, video, and what I'm doing today. Also, it's unlikely that you would be able to SSH into any random iPod unless you were on the same network, which is also unlikely. Although.. I did change mine right off the bat.
  3. toxicbomber macrumors 6502a

    Jun 19, 2006
    Darn... the touch dev site is down.. how do you get into your touch again?
  4. xsedrinam macrumors 601


    Oct 21, 2004
  5. Quickdood macrumors regular

    Aug 17, 2007
    I tried that command and I got passwd not found
  6. Mystikal macrumors 68020


    Oct 4, 2007
    Irvine, CA
  7. ipodtoucher macrumors 68000


    Sep 13, 2007
    Cedar Park, TX
    same here! thanks!!
  8. Applespider macrumors G4


    Jan 20, 2004
    looking through rose-tinted spectacles...
    I'm giggling since the topic is for Unix newbs most of whom won't have a clue what root is let alone how to follow step 1 - SSHing in
  9. specialk macrumors newbie

    Jun 4, 2006
    hmm i keep getting this message when i try to change my password
    -sh: passwd: command not found

    what am i doing wrong :confused:
  10. druranium macrumors member

    Sep 17, 2007
    Applespider, you'd be surprised how many newbs learned about / and sshing in the last couple of days! ALSO - Are you the only other girl on this board?!?!
    I've never seen a demi-goddess before ;)
    Regarding the actual topic, I get a passwd: not found too
  11. REBELinBLUE macrumors regular

    Oct 2, 2007
    London, UK
    Good point.

    For those it isn't working for, ensure you have installed the "Community Sources" package from installer and then "BSD subsystem"
  12. Genghis Khan macrumors 65816

    Genghis Khan

    Jun 3, 2007
    Melbourne, Australia
    just a thing

    for someone to hack your iPod Touch

    1) they need to be on the same network
    2) they need to know you're on an Touch
    3) they need to know UNIX, and how to access it and another device through the Touch
    4) you need to have hacked your Touch

    now frankly, this is only s risk if you're on a big public network...but yeah...change it to be safe

    nicely done hytech.org
  13. druranium macrumors member

    Sep 17, 2007
    Rebel thanks very much. I was missing BSD subsystem. now I can change my password.
  14. Arisian macrumors 68000


    Sep 14, 2007
    I would have to disagree that this is unlikely. Its pretty easy to see all the iPods that are logged in to my network right now. changing the root pw is just a good idea. Don't fool yourself by thinking that the chances are slim, just change your passwords ;)
  15. Quickdood macrumors regular

    Aug 17, 2007
    I am getting command not found, I am using putty to get into my ipod. I type passwd as soon as I finish logging in. What am I doing wrong?
  16. colonelcack macrumors newbie

    Oct 6, 2007
    I have the same problem. :confused:
  17. Quickdood macrumors regular

    Aug 17, 2007
    Help please, what are we doing wrong?
  18. REBELinBLUE macrumors regular

    Oct 2, 2007
    London, UK
    As I said, you need to install the BSD subsystem
  19. Quickdood macrumors regular

    Aug 17, 2007
    Thanks for the response, can I find that in the installer app?


    Forget it I found it under the installer app, thanks again
  20. bonkiebonks macrumors newbie

    Mar 10, 2007
    Auckland, NZ

    How do I uninstall this BSD Subsystem now? :mad:
  21. clevin macrumors G3


    Aug 6, 2006
    Its indeed a risk, however, don't scare people, they are behind a wireless router, they are not exposing their IPs, you can't connect to them easily.

    Sure, if safari has some holes for executable codes, thats a different story.
  22. fdmendez macrumors member

    Jul 3, 2007
    OK, honestly, what are the odds that will happen?

    On top of all that, you have to know the iPod's IP address. And on top of all of that, what's the worst they can do? Steal your music?

    The reality is that you can have your iPod's IP address painted on your forehead, visit as many public wifi spots as you can in a day, and you still won't get hijacked.

    And if you do get hijacked and someone manages to complete the extremely complicated task of connecting to your iPod, they have to do it in the time that you're in the hotspot.

    Reality: It's as likely as finding a car key in Disneyland and then heading out to the gigantically huge parking lot to find the car that it belongs to. Once you find the car, you find out you can't even steal the car. It just opens the trunk and maybe, with a little work, you can break the backseat down (with a lot of manual labor) so that you can access what's inside the car and even then the key doesn't start the car. And after all that, you find out that all that's inside the car is a bunch of CDs, a photo album, and a GameBoy Micro. And that's assuming you completed the task before the owner of the car returned to his/her car.

    ...It's not gonna happen.
  23. California King macrumors 65816

    Sep 20, 2007
    haha, awesome metaphor..
  24. rad187 macrumors newbie

    Oct 17, 2007
    Actually that's not really an accurate metaphor. The problem being that the root user does not simply give you access to the music but to the entire file system on the IPT. This means someone could mess with the actual programs that run the IPT or simply just delete all the files rendering your IPT useless. Also, its not like finding a car key since the key is already known. Perhaps this is a better metaphor...

    You leave your car unlocked in a parking lot. Someone opens the door steals all your CD's. Before leaving they pop the hood and remove your engine.

    Regardless, hytech is right changing the root password is a very good idea. Don't fool yourself into thinking connecting to the IPT is complicated. It is actually extremely easy especially to anyone with moderate Linux/Unix experience.

    Bottom line change you root password 2 seconds of work now could save you a huge headache later.

Share This Page