Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Malware Allows Hackers to Access Personal Information on Jailbroken iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
How much safer would it be if I completely uninstall SSH and only re-install it when I need to use it (which is rarely)?
Just disable SSH while you're not using it...you don't need to uninstall it. If the service isn't available to connect to you are fine.
Step 1 is changing your password so that if anyone gets on it while SSH is enabled...they can't login. Not doing this is like leaving your keys in your car with the doors unlocked.
Step 2 is only using SSH when you need it, and disabling it when you don't. Not doing this is like leaving your car doors unlocked but NOT leaving the keys in your car.
If you did that but did not change the password, it all depends on how widely the exploit is circulating / trying to attack phones. It's better to change the password than just uninstall/reinstall SSH because if you do the latter, you remain vulnerable during the time when you've got it installed, but if you do the latter, at least for this type of exploit, with a typical strong root password you are not vulnerable.
True, but it's the jailbreak process that sets the root password to alpine, not the ssh installer. Perhaps the jailbreaking tools should prompt for new password during the ipsw build or when you press the 'make it rain' button, etc.
At some point the jailbreak community will own up to the fact that they're pushing techniques that work fine for tech-savvy users, but can be disastrous for landlubbers who get swept up in the 'ooh, having all this freedom from evil Apple is SO great!' meme without having the chops to back it up.
Enjoy your malware folks.
I thought that this went without saying. People shouldn't be jailbreaking their phones or iPods without knowing just what the hell they're doing. I have no sympathy for people who don't read up on what they're doing first. Then again, how many regular Joes install SSH in the first place?
Just use SB Settings and DISABLE SSHD
If you jailbreak the first thing you do is install SB Settings and disable SSHD. You can enable as needed there.
Problem solved.
If you jailbreak the first thing you do is install SB Settings and disable SSHD. You can enable as needed there.
Problem solved.
iPhone/Privacy.A...?
Gimme a frickin' break, Intego. I know you make your money by scaring people into thinking they need to get anti-virus on their mac, but c'mon, I have everything I need to exploit this hack, easily, as part of OS X's default installation.
Go to Network Tools and run a port scan on any network, open terminal and type in the appropriate command to login via ssh to anything showing port 22 open. Heck, any FTP client will likely just let you scan local network for bonjour clients and login with sftp for full access to the UNPROTECTED iPhone.
This isn't just an iPhone vulnerability, it's a vulnerability to any computer that installs an sshd server (or any service opening the device) and leaves it running with some kind of well known default password.
Old news, new sensationalism to feed the jailbreakers-deserve-everything-bad-that-can-possibly-happen-to-them crowd.
Gimme a frickin' break, Intego. I know you make your money by scaring people into thinking they need to get anti-virus on their mac, but c'mon, I have everything I need to exploit this hack, easily, as part of OS X's default installation.
Go to Network Tools and run a port scan on any network, open terminal and type in the appropriate command to login via ssh to anything showing port 22 open. Heck, any FTP client will likely just let you scan local network for bonjour clients and login with sftp for full access to the UNPROTECTED iPhone.
This isn't just an iPhone vulnerability, it's a vulnerability to any computer that installs an sshd server (or any service opening the device) and leaves it running with some kind of well known default password.
Old news, new sensationalism to feed the jailbreakers-deserve-everything-bad-that-can-possibly-happen-to-them crowd.
There are apparently enough people who think they know what they're doing (but don't) to produce enough targets to make the exploit worthwhile to develop.
But I agree with you. But what annoys me is that this kind of nonsense will inevitably make its way into MSM as "iPhone vulnerable to attack."
Apple's smart to protect the brand by making jailbreaking as hard as possible.
As long as they don't install SSHD they won't get pwned. SSH access is disabled by default even on a JB phone.
In that case SSH won't be installed. No modern jailbreak installs SSH by default.
So your scenario becomes they jailbreak, install SSH, ignore the *frikking huge* warning to change their password. Then get pwned. No sympathy.
No, it's apple that set the root password to alpine.
Without ssh (or telnet) there's no way in that isn't already on the iphone.
You sure about that?
You can make an incoming ssh connection to your iPhone over edge or 3G? If so, let me know, because I thought that wasn't possible...
None of these articles are pointing out that you MUST change the default password for the 'mobile' account as well as the 'root' account. You can ssh into an iPhone with 'mobile' as the username as well as 'root'. You might not be able to access as much, but most of your private information is in the /private/var/mobile directory tree
I think it's Apple that sets the default password, isn't it? The hackers just figure it out. Either way, your suggestion that changing the password as part of the jailbreaking process is an excellent suggestion that hopefully will make it to the Dev-Team's ears.
I think it depends on the cell provider. My own personal testing shows that AT&T blocks incoming port 22 connections, so on EDGE and 3G, if you're an AT&T customer, you should be safe.
If you're on a private and secure WiFi network that is behind a NAT router, you should also be safe, unless you happen to have the firewall open for port 22 and it points to the internal ip address of your iPhone.
The remaining risk for WiFi would be if you're on some kind of public ip WiFi and someone on the same network is looking for you. Well, you better be protected in that scenario. (Change passwords, use strong ones, don't leave sshd running unless you need it.)
I think it's Apple that sets the default password, isn't it? The hackers just figure it out. Either way, your suggestion that changing the password as part of the jailbreaking process is an excellent suggestion that hopefully will make it to the Dev-Team's ears.
I think it depends on the cell provider. My own personal testing shows that AT&T blocks incoming port 22 connections, so on EDGE and 3G, if you're an AT&T customer, you should be safe.
If you're on a private and secure WiFi network that is behind a NAT router, you should also be safe, unless you happen to have the firewall open for port 22 and it points to the internal ip address of your iPhone.
The remaining risk for WiFi would be if you're on some kind of public ip WiFi and someone on the same network is looking for you. Well, you better be protected in that scenario. (Change passwords, use strong ones, don't leave sshd running unless you need it.)
Title of the thread and most other news articles has of course left pertinent information off for the sake of sensationalism. The worm doesn't affect jailbroken phones by default, only ones who have installed SSH, and even then only ones who haven't changed the default password.
When the fanbois hear about it they gloat. If the news is something like exploding iPods they say "But its just a tiny portion of iPods, there isn't really a problem." Their double standards are up there with the best.
When the fanbois hear about it they gloat. If the news is something like exploding iPods they say "But its just a tiny portion of iPods, there isn't really a problem." Their double standards are up there with the best.
See my post above just above this, but yes, you can certainly access ssh via cellular networks with some companies.
The infamous Rickroll worm was specifically written to access iPhones on on the same Australian cellular networks as the infected phones.
I don't believe AT&T users to be vulnerable. At least I have been unable to ssh into my iPhone from either another iPhone or my desktop when I go after the cellular network data ip of the phone.
Yes. Depends on your provider of course.. some of them use RFC1918 addresses (although even then you could theoretically connect from one 3G device to another).
If you have an IP address you're visible in some way. If it's a public IP you're visible to the world. If you're running SSH install sbsettings, switch wifi and ssh off when you're not using them (and 3G too, since it's only a swipe to reenable when you need it) and in addition to more security you get better battery life too.
Yeah, same here, thats why i questioned it... I'd actually like to be able to ssh into my phone (or access it via http port 80, etc over 3G
Wonder if it's that reason or if it's an "apple/at&t no-no" reason that things like Air Sharing only work with wifi.
So now you know why it only spreads in Australia and not worldwide: It requires physical proximity because of WiFi!
Anyway, I don't think this really matters, since users who jailbroke their iPhone modified the software in a way that can produce unexpected results, since it has not been tested by Apple.
Hacking stuff has risks! But I don't think it's a big deal, I don't think people store important information on their iPhone anyway, unless they're dumb enough to put password reminders in Notes, or maybe top secret emails... What could a hacker want with people's iPhone data? Prank call people? Come on!
Anyway, I don't think this really matters, since users who jailbroke their iPhone modified the software in a way that can produce unexpected results, since it has not been tested by Apple.
Hacking stuff has risks! But I don't think it's a big deal, I don't think people store important information on their iPhone anyway, unless they're dumb enough to put password reminders in Notes, or maybe top secret emails... What could a hacker want with people's iPhone data? Prank call people? Come on!
You don't want people access to your address book
Granted, this exploit is self-inflicted (jailbreak, install SSH, don't change the default password). However, I know that I use my addressbook.app on my Mac extensively and have a lot of notes attached to each contact -- some with sensitive and personal information on it. My computer is locked down and the home directly encrypted. My iPhone has the passcode lock set for 1 minute, so I'm OK that if someone got my phone, they would most likely just perform a full reset before they would be able to gain access to it.
However, I would not like the possibility of someone stealthily being able to gain access to that data. So yes, people are worried about someone gaining access to their address book data.
Of course, if you jailbreak your phone and feel compelled to install SSH and not change the password, then you probably aren't too worried about what's on your iphone.
Granted, this exploit is self-inflicted (jailbreak, install SSH, don't change the default password). However, I know that I use my addressbook.app on my Mac extensively and have a lot of notes attached to each contact -- some with sensitive and personal information on it. My computer is locked down and the home directly encrypted. My iPhone has the passcode lock set for 1 minute, so I'm OK that if someone got my phone, they would most likely just perform a full reset before they would be able to gain access to it.
However, I would not like the possibility of someone stealthily being able to gain access to that data. So yes, people are worried about someone gaining access to their address book data.
Of course, if you jailbreak your phone and feel compelled to install SSH and not change the password, then you probably aren't too worried about what's on your iphone.
Eh, not really. All you have to say is that people "hacked" the iPhone so they could use it for whatever they wanted, that they disregarded Apple's own security and controls to do so, and thus exposed themselves to risk. People won't have much sympathy, and thus Apple's reputation is perfectly fine.
the tone and content on that article was mildy retarded. Instead of saying. 'Hey idiots ! If you Jailbroke, installed SSH and didn't change your root passwrod you could be vulnerable.' It went straight for the fox news approach. Can't they just release some new mouse or something to get this idiocy off the front page.