Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

What exactly is the security issue with default password?

A

aki

macrumors 6502a
Original poster
Mar 2, 2004
688
0
Japan
I realize this is a dumb question probably but I guess I'm dumb...

Most of the jailbreaky sites say you must change your password. I was wondering, what specifically are the security issues with leaving a default password set on a jbroken touch? Like, what things could someone actually do?
 
well the theory is if you keep the same password and someone found your touch's ip address then they could quite easily hack into the touch and maybe brick it
 
Think about what YOU can do when you SSH into your iPod. You can upload files, delete files, etc. The same applies to whoever else connects to it as well. That's why if you change your password, even if they tried to connect, they won't be able to. That's pretty much it really.
 
Wirelessly posted (iTouch 1.1.1: Mozilla/5.0 (iPod; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3A110a Safari/419.3)

mingenyx said:
how do u go along changing it?
Click to expand...

I'd like to find out about this too. I've disabled SSH (using that 'Services' app) but it would be easier to leave it enabled and just change the password. How can we do that?
 
I think the command is "passwd" into terminal. You'll still have to type in alpine, but after you do it will pop up saying you need to enter another password.
 
But for them to hack it they will need to know you are using a iPod Touch and you will both be connected to the same network. Turning SSH off when your not using it saves battery life, so I do that, but I have changed my password just for the hell of it (I do stuff a lot for that reason)... :rolleyes::D
 
It's good practice, but extremely unlikely that anything would ever happen.

First, you'd have to be using your iPod touch somewhere with WiFi while SSH was turned on.

Next, someone else has to be using the same network.

That person would have to know you exist, and find the IP address you're connected on.

They would then have to know that you're on an iPod touch and not a Mac or PC.

And know that iPod touch's have a default root password.

Then they could ssh into it and try the default root password. And, theoretically, all hell could break loose.

But realistically speaking, how many times do you think you'll set yourself up for this scenario?

Go ahead and change it, but it makes sense to turn ssh off too when you're not using it!
 
ChrisBrightwell said:
This is all pretty easy, if you're sniffing HTTP packets and looking for Mobile Safari headers.
Click to expand...

Sure, but what are the odds that someone's sitting around doing that, at the same time you're surfing?

Not saying it's impossible, or even difficult. Just, rather unlikely.

Put it another way -- suppose you or I decide to set out to trash someone's iPod Touch today. What are the odds that we will successfully find a WiFi point where someone else is using a hacked Touch at the same time, and manage to get in and do damage?

Some situations are obviously riskier than others (college dorms, for example).
 
notjustjay said:
Sure, but what are the odds that someone's sitting around doing that, at the same time you're surfing?
Click to expand...

Depends on where you are, obviously.

Going to DefCon? It's almost a guaranteed thing. Using the free wifi from a small bed and breakfast in a rural community? Near-zero, threat wise.

It's something to be aware of, not something to be paranoid about.
 
Thanks for all the info! Really useful.

(BTW I read in another thread leaving SSH open uses pretty much no battery so don't worry about that part.)
 
ChrisBrightwell said:
It's something to be aware of, not something to be paranoid about.
Click to expand...

Indeed. You've said it better than I could. :)

Incidentally, I'd be far more concerned with the network settings on my laptop when using someone else's Wifi (e.g. a hotel). While at a conference last month I connected in my hotel room and opened up a Leopard Finder window to discover a new icon on the sidebar: "Jane Doe's Computer". I proceeded to click through to find a shared folder and even an option to start a remote session. I opened up iTunes and, sure enough, "Jane Doe's Music". Only a few albums.

The next morning at a general session I tracked her down and introduced myself. Then I innocently asked, "So, how do you like your new MacBook?" Her "how did you know?!" reaction was priceless. :D
 
notjustjay said:
It's good practice, but extremely unlikely that anything would ever happen.

First, you'd have to be using your iPod touch somewhere with WiFi while SSH was turned on.

Next, someone else has to be using the same network.

That person would have to know you exist, and find the IP address you're connected on.

They would then have to know that you're on an iPod touch and not a Mac or PC.

And know that iPod touch's have a default root password.



Then they could ssh into it and try the default root password. And, theoretically, all hell could break loose.

But realistically speaking, how many times do you think you'll set yourself up for this scenario?

Go ahead and change it, but it makes sense to turn ssh off too when you're not using it!
Click to expand...

Im in this scenario on a daily basis. I connect my ipod touch to a guest network at a company that has almost 600 people on the network every day. I know at least 4 other people within throwing distance of me that have ipod touches and iphones that are hacked. Their really is no reason to argue about whether this is a good idea or a bad idea since no one knows what hacks for this will come out in the future. It takes less than 5 seconds to change your password. Also, there are other scenarios other than someone logging into your ipod over a network that this benefits... such as a roommate trying to be a jerk and logging in and deleting stuff, so on so forth (not that this is a good example, mind you :) )

anyways, do it if you want to... dont do it if you dont want to.
The end, no real reason to argue about this.

Arisian
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back