New Malicious Worm Affects Jailbroken iPhones in Netherlands

[SimonTheSoundMa]

cheers, changed my root password to one I know. However user 'mobile' doesn't work.

#passwd mobile
Changing password for mobile.
Old password: [i]dottie[/i]
Sorry

Doesn't like password dottie.

On iPhone open Cydia; Icy or Rock, and download MobileTerminal. Open MobileTerminal and enter the following commands (without the quotes and followed by a return).
'login root'
'alpine'
'passwd'
'my_new_root_password' (new password, 2x)
'login mobile'
'dottie'
'passwd'
'dottie' (old password)
'my_new_password' (new password, 2x)
Done (dont forget the new passwords ;-).

It's obvious jailbreak software should incorporate obligatory password change, but users must still be aware that more freedom comes with greater responsibilities.

 

[50548]

http://support.apple.com/kb/HT3743

Unauthorized modification of iPhone OS has been a major source of instability, disruption of services, and other issues

Last Modified: July 30, 2009
Article: HT3743

As designed by Apple, the iPhone OS ensures that the iPhone and iPod touch operate reliably. Some customers have not understood the risks of installing software that makes unauthorized modifications to the iPhone OS ("jailbreaking") on their iPhone or iPod touch. Customers who have installed software that makes these modifications have encountered numerous problems in the operation of their hacked iPhone or iPod touch. Examples of issues caused by these unauthorized modifications to the iPhone OS have included the following:


Device and application instability: Frequent and unexpected crashes of the device, crashes and freezes of built-in apps and third-party apps, and loss of data.

Unreliable voice and data: Dropped calls, slow or unreliable data connections, and delayed or inaccurate location data.

Disruption of services: Services such as Visual Voicemail, YouTube, Weather, and Stocks have been disrupted or no longer work on the device. Additionally, third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications or received notifications that were intended for a different hacked device. Other push-based services such as MobileMe and Exchange have experienced problems synchronizing data with their respective servers.

Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses.

Shortened battery life: The hacked software has caused an accelerated battery drain that shortens the operation of an iPhone or iPod touch on a single battery charge.

Inability to apply future software updates: Some unauthorized modifications have caused damage to the iPhone OS that is not repairable. This can result in the hacked iPhone or iPod touch becoming permanently inoperable when a future Apple-supplied iPhone OS update is installed.

Apple strongly cautions against installing any software that hacks the iPhone OS. It is also important to note that unauthorized modification of the iPhone OS is a violation of the iPhone end-user license agreement and because of this, Apple may deny service for an iPhone or iPod touch that has installed any unauthorized software.

Thank you for trying to enlighten the benighted ones that jailbreak their phones and STILL complain about Apple's tight control of the app store...these malware couldn't come soon enough for those who ask for them.

And of course, congratulations to Apple for standing to its policy, which is MORE than wise in this context.

 

[Speedy2]

Well this mess is showing me one thing. The basic security in the iPhone is pretty much crap and apple knows it. Hence the reason they are locking it down so tightly.

It's funny how you ALWAYS find a way to blame ANYTHING that happens around Macs or iPhones on Apple, most of the time via absurd deductions. Why are you here at Macrumors, when it's so obvious that you must thoroughly dislike anything Apple? I really wonder.

About your statement: All systems that are not locked down are inherently unsafe. Some more, some less. But no open system is even remotely safe. No Windows, no Mac OS, no Linux. I know that you will claim now that Mobile Operating System X is so much safer than iPhone OS and Apple screwed it all up, which is complete nonsense, since you have nothing to back that up. The worm doesn't even exploit any security holes, but walks in thru doors, which were deliberately opened by the users themselves. Apple had good reasons to choose a locked down system. So far, this approach was beneficial for the common customer. The l33t guys can still jailbreak. It's not that Apple is sueing anyone of them, is it?

 

[*LTD*]

Well this mess is showing me one thing. The basic security in the iPhone is pretty much crap and apple knows it. Hence the reason they are locking it down so tightly.

Apple could solve a lot of there bad press problem with jail breakers by giving them the basic features many of them are after or at least the common users are after.

1. Customizable themes,
2. Change the SMS sound

Minor things remove a lot of the incentive to jailbreak and leave it only to the more hard core geeks that know what they are doing. Apple current set up limits the iPhone so badly that the common users want to jail break and when they reach that point people do stupid things like not changing a default password.

Nearly every manufacturer advises against tampering and/or that such tampering voids your warranty and could lock you out of support.

Common users want to jailbreak?? I'll wager that the average iPhone user has no idea what it is and has no interest in doing it.

 

[nealric]

Unauthorized modification of iPhone OS has been a major source of instability, disruption of services, and other issues

Got to love corporate FUD

Thank you for trying to enlighten the benighted ones that jailbreak their phones and STILL complain about Apple's tight control of the app store...these malware couldn't come soon enough for those who ask for them.

THANK YOU SO MUCH SIR! I'm so "enlightened" now about my jailbroken phone. I guess I will just give up my multitasking, customized lockscreen, and tethering. Sure, my phone has never had the slightest problem, but because apple says it might crash and a few hundred people in a foreign country who didn't bother to change their password got a virus I suppose I should be terrified.

You jailbreak your iPhone, you get what you deserve!

I actually agree with this. I do deserve full control over a device I paid good money for. With jailbreaking, I got it

 

[*LTD*]

Got to love corporate FUD



THANK YOU SO MUCH SIR! I'm so "enlightened" now about my jailbroken phone. I guess I will just give up my multitasking, customized lockscreen, and tethering. Sure, my phone has never had the slightest problem, but because apple says it might crash and a few hundred people in a foreign country who didn't bother to change their password got a virus I suppose I should be terrified.

It's a standard security warning. It makes complete sense for Apple to have posted it. Not FUD at all. It's for the protection of the consumer and to address Apple's liability in the matter as well. I should think customers have a right to know.

Is the OS X EULA "FUD" as well?? Because that FUD was just upheld in court.

Apple strongly cautions against installing any software that hacks the iPhone OS. It is also important to note that unauthorized modification of the iPhone OS is a violation of the iPhone end-user license agreement and because of this, Apple may deny service for an iPhone or iPod touch that has installed any unauthorized software.

 

[bytethese]

cheers, changed my root password to one I know. However user 'mobile' doesn't work.

#passwd mobile
Changing password for mobile.
Old password: [i]dottie[/i]
Sorry

Doesn't like password dottie.

That's because mobile's password is also "alpine".

 

[nealric]

I should think customers have a right to know.

Know what?
You hack things, you can break them. This is common sense.

But "the sky is falling" warnings they released are just an attempt to scare people away.

Is the OS X EULA "FUD" as well?? Because that FUD was just upheld in court.

What does the upholding of one clause of a contract have anything to do with a completely different contract?

 

[coolbreeze]

I have a jailbriloken 3gs.
I have ING Direct.
I logged into my account last night.

This is what I needed to read for me to un-jailbreak.

 

[tabasco70]

So how do you change the password?

 

[coolbreeze]

So how do you change the password?

http://www.f-secure.com/weblog/archives/cydia.htm

 

[nealric]

I have a jailbriloken 3gs.
I have ING Direct.
I logged into my account last night.

This is what I needed to read for me to un-jailbreak.

How about just changing the password?

 

[Rodimus Prime]

Nearly every manufacturer advises against tampering and/or that such tampering voids your warranty and could lock you out of support.

Common users want to jailbreak?? I'll wager that the average iPhone user has no idea what it is and has no interest in doing it.

With huge worms like this running a muck and spreading it tells me that Jail breaking as entered into the common user area and left the geek area.

When you start kissing the common user group worms used basic default crap like this take off. No way around that argument.

You do not have to look much farther than these forums to see people who jail broke for basic things like Customizable themes and custom SMS tones. Even on the themes it was to add BASIC functions to the phone.

Apple should take page out of microsofts book and look at what the jailbreakers/modders are doing and see why people are doing it and give it to them. Kills a lot of the inctivives to jail break.
The modding I am talking about is look at the Xbox compared to the 360. I personally knew a lot of people who modded there Xbox so they could turn it into a media center. Stream movies and music off there desktop or play files locally on the Xbox. Microsoft saw this and choose to open it to allow those things on the 360. Killed a lot of the incentives to mod it since now they gave the users the functions they wanted that did not involved playing pirated games.

Apple should do the same. If for no other reason than to stop this bad press. It does not matter if it is a jail broken phone because people will see iPhone hacked and it is dangous. If apple gave in to the basic functions it would greatly reduce the numbers of people wanting to jail break.

 

[RazHyena]

Fanatic fanboy "serves you jailbreakers right" shenannigans in 3....2...oh wait, I'm too late.


Anyway, I was hoping we'd see another nemesis with the next iPhone worm appear after Rick Astley. I was hoping for maybe Pedobear or Moot.

 

[Habakuk]

For those of us with jailbroken iPhones, I think hte most important point is:

1. how do you establish whether or not you have SSH installed?
2. how do you change the default password?

Many applications install other services whilst installing themselves - I'm not 100% sure I've not had SSH downloaded by another application.

Yes. Very interesting and important.

Back when I used to do it, installation of SSH was a checkbox or an option you could select to do (or was selected by default, but was at the very least an option on many of the jailbreak methods/apps). I suppose it depends on what they do these days.

Please more on this. Let's work that out. How do you install SSH on jb iPhone? Screenshots please. Thx in advance.

So how do you change the password?

One single page previous:

https://forums.macrumors.com/posts/8860843/

What happens when you install openSSH, forget to change passwords and un-jailbreak via iTunes restore? Open or close? (The latter I guess.)

 

[coolbreeze]

How about just changing the password?

It's just not worth it at this point. Sure streaming Slingbox via 3g is neat but I just can't risk my life savings to do it (no I don't need a lecture about jailbreaking or storing my $ in ING).

Say I change my password. What's next? Hackers never rest.

 

[3N16MA]

Simply change the default password or don't install OpenSSH. This is something that is not necessary to jailbreak your iPhone.

 

[kAoTiX]

Average Joe user does not jailbreak, and there is no security software for them because without JBing they don't need any; however, there is security software for JBen phones. Hopefully the next version of OpenSSH will automate changing the password.

Exactly my point to some degree. Although I have people who jailbreak for themes and know nothing more. They're average joe users for sure.

 

[bruinsrme]

With huge worms like this running a muck and spreading it tells me that Jail breaking as entered into the common user area and left the geek area.

When you start kissing the common user group worms used basic default crap like this take off. No way around that argument.

You do not have to look much farther than these forums to see people who jail broke for basic things like Customizable themes and custom SMS tones. Even on the themes it was to add BASIC functions to the phone.

Apple should take page out of microsofts book and look at what the jailbreakers/modders are doing and see why people are doing it and give it to them. Kills a lot of the inctivives to jail break.
The modding I am talking about is look at the Xbox compared to the 360. I personally knew a lot of people who modded there Xbox so they could turn it into a media center. Stream movies and music off there desktop or play files locally on the Xbox. Microsoft saw this and choose to open it to allow those things on the 360. Killed a lot of the incentives to mod it since now they gave the users the functions they wanted that did not involved playing pirated games.

Apple should do the same. If for no other reason than to stop this bad press. It does not matter if it is a jail broken phone because people will see iPhone hacked and it is dangous. If apple gave in to the basic functions it would greatly reduce the numbers of people wanting to jail break.

Great example. I can't speak for the rest of the world but within the circle of friends that hacked the original xbox haven't touched our 360s.

Unfortunately, I wouldn't expect apple to ever support the customer base in allowing such modifications as this will take away from their control, product recognition (because apple has stated apple customers can become confused easily) and additional resources to maintain the increased demands on the infrastructure to support the platform.
That is Apple's option and hence the continuing game of cat and mouse.

As we see more and more advances in the operability in the the jailbreak world, widgets, multiflow, advances in theming and etc, more and more people will jailbreak and more and more worms will be introduced.

 

[Habakuk]

Very good idea to add the link to the signature in all iPhone forums where you are posting (I will go to Touch Arcade next—it's done in one minute). Thx to Mac Rumors user and Demi-God bruinsme!

 

[bruinsrme]

Very good idea to add the link to the signature in all iPhone forums where you are posting (I will go to Touch Arcade next—it's done in one minute). Thx to Mac Rumors user and Demi-God bruinsme!

Note that I also posted a link to apples warning.
I hope it helps others understand and also protect themselves if they choose to jailbreak.
Yes I jailbreak.

 

[Habakuk]

Note that I also posted a link to apples warning.
I hope it helps others understand and also protect themselves if they choose to jailbreak.

Added Apple Support link to the summary page because I have no more free letters left in my sig and it's a good idea as well.

Yes I jailbreak.

It may happen that I jailbreak sooner or later.

 

[Applejuiced]

Well said.
As long as the user changes the root password there is nothing any worms or hackers can do to your iphone.
So save yourself any headaches and secure your device.
Dont leave the default password to "alpine"

Well, it's entirely the user's fault for not changing the root password for SSH.

It's like setting up a machine with no firewall and setting up SSH to be usable directly by root, with the root password as 'root.' Who would do that? Only a fool.

 

[smythey]

For those of us with jailbroken iPhones, I think hte most important point is:

1. how do you establish whether or not you have SSH installed?
2. how do you change the default password?

Many applications install other services whilst installing themselves - I'm not 100% sure I've not had SSH downloaded by another application.

Anybody? If you don't have "SSH" or "MobileTerminal" in your Cydia Packages list, does that confirm it definitely isn't installed?

 

[jav6454]

http://news.bbc.co.uk/1/hi/technology/8373739.stm

This one looks a looks a bit nasty!

Yes, yet it won't affect me as I don't have OpenSSH installed.... honestly, if you put in OpenSSH, be sure to change your root password. If you don't what that password is, it's alpine.

Switch it!