Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
[Merged] Jailbreaked iPhone SSH Exploit And Countermeasures
- Thread starter jav6454
- Start date
- Sort by reaction score
How Jailbreaking Can Screw Millions of iPhone owners
Article from Ars Technica:
http://arstechnica.com/apple/news/2009/11/dutch-hacker-holds-jailbroken-iphones-hostage-for-5.ars
I would say that MOST average Jailbroken iPhone's are vulnerable to a port scanner, and conform to the following description:
I've commented about some of the security implications before on this forum, especially with regards to the practices of some jailbroken app creators and how they store their information (clear text). This makes things SO much worse for someone who loses control of their phone. It can be apocalyptic depending on the nastiness of the perpetrator.
There are MILLIONS of jailbroken iPhone's out in the wild. The community should be CONSTANTLY talking about security, and not even pausing for a moment to make snide "no root pwd change, they deserve what they get" comments, after luring non-technical people to "opening up" their phone to begin with.
Metasploit Creator Distributes Exploits for iPhone
https://forums.macrumors.com/threads/370929/
SECURITY: Newsweek - Spectre of the Great iPhone Epidemic
https://forums.macrumors.com/threads/372426/
~ CB
Article from Ars Technica:
http://arstechnica.com/apple/news/2009/11/dutch-hacker-holds-jailbroken-iphones-hostage-for-5.ars
I would say that MOST average Jailbroken iPhone's are vulnerable to a port scanner, and conform to the following description:
How sad. Same thing can also be said of hacked Apple TVs on insecure WiFi hotspots... just as a note.
I've commented about some of the security implications before on this forum, especially with regards to the practices of some jailbroken app creators and how they store their information (clear text). This makes things SO much worse for someone who loses control of their phone. It can be apocalyptic depending on the nastiness of the perpetrator.
There are MILLIONS of jailbroken iPhone's out in the wild. The community should be CONSTANTLY talking about security, and not even pausing for a moment to make snide "no root pwd change, they deserve what they get" comments, after luring non-technical people to "opening up" their phone to begin with.
Metasploit Creator Distributes Exploits for iPhone
https://forums.macrumors.com/threads/370929/
SECURITY: Newsweek - Spectre of the Great iPhone Epidemic
https://forums.macrumors.com/threads/372426/
~ CB
My password is default. But I am only on trusted wifi networks. And no one knows my phone is jailbroken. That is the least of my worries. But if I was "smart" I would change it. 
I'll take my chances.
I'll take my chances.
This is why almost all tutorials on installing OpenSSH tell you to go in and tell you to do
passwd then su root; passwd to set change your default passwords.
Also, I don't think this puts anyone but the actual phone owner at risk. It just shows people shouldn't do anything before reading enough about it. SSH is very secure and usable by even the average user as long as they read.
passwd then su root; passwd to set change your default passwords.
Also, I don't think this puts anyone but the actual phone owner at risk. It just shows people shouldn't do anything before reading enough about it. SSH is very secure and usable by even the average user as long as they read.
I don't get it, what exactly did this guy/girl hack? I don't see him/her injecting code, finding a vulnerability, etc. Looks like they added a plist and changed the background photo and simply took advantage of folks who did not change their default passwords. Kinda like leaving your home unlocked and someone placing a note on your bathroom mirror...
this was all over the boards yesterday...about changing your root pw and how to do that.
so the guy who wants to know how..either google or do search on these boards.
so the guy who wants to know how..either google or do search on these boards.
Unfortunately, I didn't find your thread title to be any more informative about the actual thread content.
hmmmm
this what I was thinking op title idea (JB's if you have SSH change Password) or JB'S SSH has security risk even Jailbreakers security is at risk. by op title me thinks he is trying to scare people from JB. also would have been better to add how and to change root password or how to fix the issue.
Unfortunately, I didn't find your thread title to be any more informative about the actual thread content.
this what I was thinking op title idea (JB's if you have SSH change Password) or JB'S SSH has security risk even Jailbreakers security is at risk. by op title me thinks he is trying to scare people from JB.
also would have been better to add how and to change root password or how to fix the issue.
this what I was thinking op title idea (JB's if you have SSH change Password) or JB'S SSH has security risk even Jailbreakers security is at risk. by op title me thinks he is trying to scare people from JB.
Also the title suggests that if you jailbreak you can screw other people over... While this is not the case.
this was brought up
months ago common sense should tell you to change root passwords. this guy just came up with a new twist to try and make a few bucks.
months ago common sense should tell you to change root passwords.
this guy just came up with a new twist to try and make a few bucks.
There is some truth to that, but I mentioned "jailbreaking" and "iphone". I think it would have been better to include the words "security" and "SSH" as well, but I think it was on the right path. "WARNING! Highest importance for your security" (not the original title) left me thinking it was generic security advice on an anecdote. I titled my thread specifically to catch the eye of anyone jailbreaking their phone... which is the primary thrust of the ARS article.Unfortunately, I didn't find your thread title to be any more informative about the actual thread content.
:: shrug ::
~ CB
My god.. People are missing the point.
Just change your default password to something else.
Lots of guides on here. I posted an expansive one. If you REALLY don't want to do that, just uninstall OpenSSH and netatalk (if you have either of them) otherwise you're fine.
iPhone Worm - change SSH password
There is a now a relatively innocuous iPhone worm that is infecting jailbroken iPhones. Non-jailbroken iPhones are safe. It has started in Australia and unknown how far it's gone so far.
While is isn't dangerous, it does demonstrate a weakness in jailbroken iPhones. A malicious worm may be next.
A Google search will give you information about this worm.
This worm apparently takes advantage of the fact that the vast majority of jailbreakers do not change their password. The default password is 'alpine'.
To change the password,
Open Cydia, download and install MobileTerminal.
Open MobileTerminal and type 'passwd'
Enter 'alpine' as the old password.
Enter (and re-enter) your new password.
You will now be safe from this worm and hopefully from any future worms.
There is a now a relatively innocuous iPhone worm that is infecting jailbroken iPhones. Non-jailbroken iPhones are safe. It has started in Australia and unknown how far it's gone so far.
While is isn't dangerous, it does demonstrate a weakness in jailbroken iPhones. A malicious worm may be next.
A Google search will give you information about this worm.
This worm apparently takes advantage of the fact that the vast majority of jailbreakers do not change their password. The default password is 'alpine'.
To change the password,
Open Cydia, download and install MobileTerminal.
Open MobileTerminal and type 'passwd'
Enter 'alpine' as the old password.
Enter (and re-enter) your new password.
You will now be safe from this worm and hopefully from any future worms.
It's not a worm. And there are several threads on this.
https://forums.macrumors.com/threads/813580/
https://forums.macrumors.com/threads/813520/
https://forums.macrumors.com/threads/813580/
https://forums.macrumors.com/threads/813520/
I don't doubt you, but here's some links that are calling this a worm.
http://mashable.com/2009/11/08/first-iphone-worm/
http://www.pcworld.com/businesscent...phone_worm_spreads_rick_astley_wallpaper.html
http://www.f-secure.com/weblog/archives/00001814.html
The semantics are not as important as changing the password.
http://mashable.com/2009/11/08/first-iphone-worm/
http://www.pcworld.com/businesscent...phone_worm_spreads_rick_astley_wallpaper.html
http://www.f-secure.com/weblog/archives/00001814.html
The semantics are not as important as changing the password.