What exactly is the security issue with default password?

Discussion in 'iPod touch Hacks' started by aki, Dec 2, 2007.

  1. aki macrumors 6502a

    Joined:
    Mar 2, 2004
    Location:
    Japan
    #1
    I realize this is a dumb question probably but I guess I'm dumb...

    Most of the jailbreaky sites say you must change your password. I was wondering, what specifically are the security issues with leaving a default password set on a jbroken touch? Like, what things could someone actually do?
     
  2. andybno1 macrumors 68040

    andybno1

    Joined:
    Nov 6, 2007
    Location:
    Liverpool, UK
    #2
    well the theory is if you keep the same password and someone found your touch's ip address then they could quite easily hack into the touch and maybe brick it
     
  3. Reimer macrumors regular

    Reimer

    Joined:
    Sep 15, 2006
    #3
    Think about what YOU can do when you SSH into your iPod. You can upload files, delete files, etc. The same applies to whoever else connects to it as well. That's why if you change your password, even if they tried to connect, they won't be able to. That's pretty much it really.
     
  4. mingenyx macrumors regular

    Joined:
    Nov 22, 2007
  5. mavis macrumors 68040

    mavis

    Joined:
    Jul 30, 2007
    Location:
    Tokyo, Japan
    #5
    Wirelessly posted (iTouch 1.1.1: Mozilla/5.0 (iPod; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3A110a Safari/419.3)

    I'd like to find out about this too. I've disabled SSH (using that 'Services' app) but it would be easier to leave it enabled and just change the password. How can we do that?
     
  6. Vigilante macrumors 6502a

    Vigilante

    Joined:
    Sep 11, 2007
    Location:
    Florida.
    #6
    I think the command is "passwd" into terminal. You'll still have to type in alpine, but after you do it will pop up saying you need to enter another password.
     
  7. PowerFullMac macrumors 601

    PowerFullMac

    Joined:
    Oct 16, 2006
    #7
    But for them to hack it they will need to know you are using a iPod Touch and you will both be connected to the same network. Turning SSH off when your not using it saves battery life, so I do that, but I have changed my password just for the hell of it (I do stuff a lot for that reason)... :rolleyes::D
     
  8. notjustjay macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #8
    It's good practice, but extremely unlikely that anything would ever happen.

    First, you'd have to be using your iPod touch somewhere with WiFi while SSH was turned on.

    Next, someone else has to be using the same network.

    That person would have to know you exist, and find the IP address you're connected on.

    They would then have to know that you're on an iPod touch and not a Mac or PC.

    And know that iPod touch's have a default root password.

    Then they could ssh into it and try the default root password. And, theoretically, all hell could break loose.

    But realistically speaking, how many times do you think you'll set yourself up for this scenario?

    Go ahead and change it, but it makes sense to turn ssh off too when you're not using it!
     
  9. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #9
    Install the BSD Subsystem (via Installer.app), SSH into the iPod, login as "root" (default password is "alpine"), then use the "passwd" command to change the password.

    The threat with the default password is minuscule, but real.
     
  10. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #10
    This is all pretty easy, if you're sniffing HTTP packets and looking for Mobile Safari headers.
     
  11. notjustjay macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #11
    Sure, but what are the odds that someone's sitting around doing that, at the same time you're surfing?

    Not saying it's impossible, or even difficult. Just, rather unlikely.

    Put it another way -- suppose you or I decide to set out to trash someone's iPod Touch today. What are the odds that we will successfully find a WiFi point where someone else is using a hacked Touch at the same time, and manage to get in and do damage?

    Some situations are obviously riskier than others (college dorms, for example).
     
  12. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #12
    Depends on where you are, obviously.

    Going to DefCon? It's almost a guaranteed thing. Using the free wifi from a small bed and breakfast in a rural community? Near-zero, threat wise.

    It's something to be aware of, not something to be paranoid about.
     
  13. aki thread starter macrumors 6502a

    Joined:
    Mar 2, 2004
    Location:
    Japan
    #13
    Thanks for all the info! Really useful.

    (BTW I read in another thread leaving SSH open uses pretty much no battery so don't worry about that part.)
     
  14. notjustjay macrumors 603

    notjustjay

    Joined:
    Sep 19, 2003
    Location:
    Canada, eh?
    #14
    Indeed. You've said it better than I could. :)

    Incidentally, I'd be far more concerned with the network settings on my laptop when using someone else's Wifi (e.g. a hotel). While at a conference last month I connected in my hotel room and opened up a Leopard Finder window to discover a new icon on the sidebar: "Jane Doe's Computer". I proceeded to click through to find a shared folder and even an option to start a remote session. I opened up iTunes and, sure enough, "Jane Doe's Music". Only a few albums.

    The next morning at a general session I tracked her down and introduced myself. Then I innocently asked, "So, how do you like your new MacBook?" Her "how did you know?!" reaction was priceless. :D
     
  15. Arisian macrumors 68000

    Arisian

    Joined:
    Sep 14, 2007
    Location:
    China
    #15
    Im in this scenario on a daily basis. I connect my ipod touch to a guest network at a company that has almost 600 people on the network every day. I know at least 4 other people within throwing distance of me that have ipod touches and iphones that are hacked. Their really is no reason to argue about whether this is a good idea or a bad idea since no one knows what hacks for this will come out in the future. It takes less than 5 seconds to change your password. Also, there are other scenarios other than someone logging into your ipod over a network that this benefits... such as a roommate trying to be a jerk and logging in and deleting stuff, so on so forth (not that this is a good example, mind you :) )

    anyways, do it if you want to... dont do it if you dont want to.
    The end, no real reason to argue about this.

    Arisian
     

Share This Page