LOL, why on earth have you got geek in your username if you're going to post a question like that?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Malicious Worm Affects Jailbroken iPhones in Netherlands
- Thread starter John89
- Start date
- Sort by reaction score
LOL, why on earth have you got geek in your username if you're going to post a question like that?
Well it could be the other Cell Vendors, they want to sell THEIR phones they don't want you buying iPhones and putting them on their network unless they get more of piece of Pie...
Apple haters. There are still people back in the old IBM vs. Apple Wars in the 80's and they are not happy that Apple is on the comeback. They may not be able to hack normal iPhones but they can get jail broken ones so they will. Just to feel special.
Security Nuts (Black hat hackers). They feel like a big man when they show a security flaw.
People with a point. People don't really want to jail break their phones. But they want the following... Being to install any app they want, use any carrier they want... Making the Iphone considered insecure may force apple to allow such features on their more secure platform... Probably not but most people arn't rational.
Unfortunately, this will just result in a bunch of iPhones with passwords of "my_new_root_password" and "my_new_password"
Nonsense. Not only is the idea a stupid one, but they would open themselves up to legal action.
I cant find a motive someone who uses an iphone for banking etc would never consider jailbreaking all there getting is teenagers who care less about personal info.
My iPhone isn't jailbroken and I suffer from 4 out of 6 of those problems.
Device and application instability
Unreliable voice and data
Disruption of services
Shortened battery life
Hmmm...?
So to have a problem you have to:
1. Jailbreak your phone, thereby compromising it's built-in security.
2. Add some softeware that Apple has not checked for security.
3. Further compromise the security of your iPhone by using the default password.
4. Use the above totally unsecure iPhone for banking purposes.
5. Bank at ING that has its own security issue.
Stupid is as stupid does.
So to have a problem you have to:
1. Jailbreak your phone, thereby compromising it's built-in security.
2. Add some softeware that Apple has not checked for security.
3. Further compromise the security of your iPhone by using the default password.
4. Use the above totally unsecure iPhone for banking purposes.
5. Bank at ING that has its own security issue.
Stupid is as stupid does.
STEP-BY-STEP GUIDES SUMMARY on how to change SSH default passwords after jailbreak
Recommended guides
Other guides (the first two are illustrated)
Further reading
Five important hints
*) How to establish whether or not SSH Daemon is installed
**) Recommended Password Assistant in Mac OS X (10.4 Tiger or newer)
For mobile devices there is a password generator available in the highly rated third-party app 1Password Pro (free until December 1st, 2009). App Store Link via App Shopper.com.
There are several web-based password generators in the net but be careful with that. Avoid capital letter O and number 0, letters I, l, i, j, number 1 and special characters like | (alt+7), /, \, -, , and _, ', ` and ´, those can be easily confused when reading, writing and typing; depends on fontsuse Courier.
Gibson Research Corporation: GRC's Ultra High Security Password Generator
- Don't install OpenSSH (Cydia link for your information*) after jailbreak unless you know exactly what you are doing
- If you can't avoid SSH by all means follow urgently one of the step-by-step guides
Recommended guides
- cydia.saurik.com: Change default password
Saurik aka Jay Freeman is the developer of the app Cydiaa downloader, installer and repository after jailbreak. "cd" means "change directory". (Tutorial designed for mobile browsers.)
- The same mirrored/cached at IT security company F-Secure
- Simple fix: IF jailbreak AND ssh THEN change passwords by MacRumors user Adam Young earlier in this thread with comment by iSee (completed subject).
Other guides (the first two are illustrated)
- Blog iClarified: How to Change the Root Password on Your iPhone
The tutorial hoster iClarified is missing something: You also need to change the password for the 'mobile' account, or you're still vulnerable!
- Computer magazine Macworld: Secure your jailbroken iPhone with a password changemind the update in the Macworld article!
- Blog Extra Future: How To: Change Your iPhone's Root Password
You can change the iPhone SSH passwords also using a Mac or PC in the same WiFi network. Again missing user 'mobile' in this old tutorial by Extra Future, add that. However it's highly recommended to change the passwords directly on the iPhone before activating OpenSSH (see "Five important hints" below)!
Further reading
- Wikipedia: Secure Shell (SSH, OpenSSH), Jailbreak, Cydia
- OpenSSH.org
- MacRumors.com: New Malicious Worm Affects Jailbroken iPhones in Netherlands [Updated x2]
Cites IT security company Intego: "The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices"
- View entire thread here at MacRumors Forum from the very beginning
- Apple Support: Unauthorized modification of iPhone OS has been a major source of instability, disruption of services, and other issuesMacRumors user and jailbreaker bruinsme calls it: "HEED to Apple's warnings, you jailbreaking thieving criminals"
Five important hints
- Note: If you mess up something or forget your new passwords, youll probably have to do a factory reset on your phone.
- It is not enough when you disable SSH in SBSettings because it will activate from alone after a restart of the iPhone or on other occasions (p. e. a "respring" with the patched app SpringBoard) and you probably won't recognize that. SBSettings (Cydia link) is a switchboard app available after jailbreak. Information at Wikipedia on SpringBoard.
- Most important! <paranoid mode ON> After the iPhone has already been on the net with the default passwords the phone could well have already gotten a nasty backdoor (Wiki) and rootkit (Wiki) installed, and is now 0wn3d by some botnet (Wiki). Changing the SSH passwords now does nothing to clean up that mess! Only way to clean up for sure is to reinstall a new OS using DFU mode (Device Firmware Update), and set up the device as new (iClarified: How to Put an iPhone Into DFU Mode). (Thanks to MacRumors user firewood.) </paranoid mode OFF>
- If you don't need it any moredelete OpenSSH immediately via Cydia because most passwords are weak! **)
- Note: Any Apple iPhone operating system update or restore will set the passwords for both accounts "root" and "user" back to default "alpine" and "dottie", respectively.
*) How to establish whether or not SSH Daemon is installed
- Open Terminal.app (on Mac OS X) or Mobile Terminal (on jailbroken iPhones; Cydia link)
- Type nothing but which sshd after the prompt ($), "sshd" means "secure shell daemon"
- Hit Return key
- Terminal will tell you in the next line something like "/usr/sbin/sshd" when SSH is installed, otherwise you'll get an error message
- Quit Terminal by typing exit after the prompt and hit Return (thanks to MacRumors user Infrared)
**) Recommended Password Assistant in Mac OS X (10.4 Tiger or newer)
- Choose System Preferences... from the Apple menu
- Look for the headline System, click Accounts; then click the Password tab
- To access Password Assistant, click the Key icon you see when changing or adding a password to an user account
- Memorable (the most useful)
- Letters & Numbers
- Numbers Only
- Random
- FIPS-181 Compliant (not recommended but better than nothing)
For mobile devices there is a password generator available in the highly rated third-party app 1Password Pro (free until December 1st, 2009). App Store Link via App Shopper.com.
There are several web-based password generators in the net but be careful with that. Avoid capital letter O and number 0, letters I, l, i, j, number 1 and special characters like | (alt+7), /, \, -, , and _, ', ` and ´, those can be easily confused when reading, writing and typing; depends on fontsuse Courier.
Gibson Research Corporation: GRC's Ultra High Security Password Generator
Add the link of this reference to your signature
in all iPhone-related forums, blogs and other social groups
where you participate!
in all iPhone-related forums, blogs and other social groups
where you participate!
Not really, and the article itself kind of refutes your anecdotal evidence. The problems are out there, whether you've experienced them or not.
If you read beyond the bold headlines you'll see that you really don't have those problems, except as they may relate to poor AT&T service.
You're implying that iPhone (or computer) users are not fools. You're supposed to presume they are a fool and help them out.
Windows comes with a built in firewall (lol) and malware scanner (lol again)
If you think that when someone installs something on their pc/phone that could be harmful if not setup correctly then you should take steps to help the user out to avoid problems.
How hard is it to require a password change upon installing SSH realistically?
For a start, there is no anti-virus or firewall for the iPhone so average joe user cannot protect themselves as they would with a computer.
Windows comes with a built in firewall (lol) and malware scanner (lol again)
If you think that when someone installs something on their pc/phone that could be harmful if not setup correctly then you should take steps to help the user out to avoid problems.
How hard is it to require a password change upon installing SSH realistically?
For a start, there is no anti-virus or firewall for the iPhone so average joe user cannot protect themselves as they would with a computer.
Nothing new
You have this right. The hacker community is like any other den of thieves, the eventually start fighting each other since there is a lack of ethics and honor. I'm sure this virus is retribution from some face off that went down. Worst, over a girl.
You jailbreak your iPhone, you get what you deserve!
You have this right. The hacker community is like any other den of thieves, the eventually start fighting each other since there is a lack of ethics and honor. I'm sure this virus is retribution from some face off that went down. Worst, over a girl.
You jailbreak your iPhone, you get what you deserve!
police, maybe, but seeing apple get involved in any way to try and "fix" this situation i seriously doubt. the "fix" is already out there...don't jailbreak, and if you do, make sure you don't use default passwords with any software you may install. end of story
Wow - such sad, uninformed people...
Nobody I know who has jailbroken their iphones does it to steal anything - they do it to add functionality and ease of use that Apple SHOULD HAVE already built in to the device.
Seriously - Apple - put in functionality like SBSettings so that I can turn on/off bluetooth without going through several settings menus. Put in the functionality of Backgrounder so that I can check my email while playing Pandora - is that so hard?
Yeah, I'm wondering all right. But it my thoughts have nothing to do with Apple or jailbroken iPhones.
Mark
It's essentially true. You assume the risks, and if you get burned that's your problem. But don't expect Apple to approve of it, and don't be surprised when they advise against it.
Average Joe user does not jailbreak, and there is no security software for them because without JBing they don't need any; however, there is security software for JBen phones. Hopefully the next version of OpenSSH will automate changing the password.
Well this mess is showing me one thing. The basic security in the iPhone is pretty much crap and apple knows it. Hence the reason they are locking it down so tightly.
Apple could solve a lot of there bad press problem with jail breakers by giving them the basic features many of them are after or at least the common users are after.
1. Customizable themes,
2. Change the SMS sound
Minor things remove a lot of the incentive to jailbreak and leave it only to the more hard core geeks that know what they are doing. Apple current set up limits the iPhone so badly that the common users want to jail break and when they reach that point people do stupid things like not changing a default password.
Apple could solve a lot of there bad press problem with jail breakers by giving them the basic features many of them are after or at least the common users are after.
1. Customizable themes,
2. Change the SMS sound
Minor things remove a lot of the incentive to jailbreak and leave it only to the more hard core geeks that know what they are doing. Apple current set up limits the iPhone so badly that the common users want to jail break and when they reach that point people do stupid things like not changing a default password.
What part is true the fanboyism?
The risks are known. Many use this and other forums to stay up to date on what's going on in the world of apple products. Many here are trying to help people from getting burned and not wishing ill will on those that choose to extend the capabilities of their phone, like some posting in this thread are.
Apple approve of it. Who's asking apple to approve of it?
Advise against it, cmon I have a warning/link is in my signature....
Are we going to see "zombiPhones" -- iPhones taken over by malware without their owner's knowlege, then later used remotely by hackers whenever they want?