Video Screencast Help
Security Response

Another iPhone Attack

Created: 11 Nov 2009 19:11:44 GMT • Updated: 23 Jan 2014 18:31:23 GMT
Symantec Security Response's picture
+1 1 Vote
Login to vote

The first iPhone worm, known as iPhoneOS.Ikee, recently hit the news everywhere. The purpose of this worm was to show that jailbroken iPhones had a flaw that could be easily exploited. The consequences of this worm were minor since the author decided to simply Rickroll users who became victims of this attack. However, there were many warnings that the publicly released code could easily be altered so that consequences were not so benign.

Given the implications—and this being a hot topic—reports are surfacing about a hacktool that can be used to attack jailbroken iPhones. This tool is taking advantage of the same default SSH password that iPhoneOS.Ikee does, but put plainly, this is not another worm. We’re looking at a hacktool that is installed on an attacking computer, not on the iPhone. It allows an attacker to scan a network and then attempt to log in to devices using the iPhone’s default SSH password. If it finds a jailbroken iPhone with the default password still set, the hacker can steal any data from a compromised device, including e-mail, text messages, contacts, photos, etc. The hacker connected to the device then has complete control over it.

It’s unlikely the phone’s owner will notice anything that will alert them to the compromise. The iPhoneOS.Ikee alerted people to the fact they were infected by changing the wallpaper to a photo of Rick Astley. In this case there’s no such outward indication that something is wrong.

It’s worth noting that this method of attack is as old as the hills. The only thing remotely new is that this hacktool has been configured to target jailbroken iPhones, and even that’s been discussed before. This tool could just as likely be used to scan for any devices and attempt to compromise them using a broad list of default passwords used by various services. iPhone SSH scanners and automatic scripts for logging into jailbroken iPhones to back up important data have existed for a few years now. So, this particular hacktool is the result of someone putting the two tools together and removing the manual step. It’s likely this is only getting this level of coverage because of the success of iPhoneOS.Ikee.

If you are worried your device may be affected by this vulnerability you can take the following steps to ensure your data is safe. First, backup your data and restore your device to its factory settings. Once the device has been restored, the worm will have been removed, and the security hole closed.

If you insist on jailbreaking your phone again (despite the obvious risks), disable network connectivity when done and change the default SSH password. You can then restore network connectivity, having successfully closed the security hole.

It’s obvious that users of jailbroken iPhones are leaving themselves open to malicious attacks. What was originally theoretical has been realized and should make iPhone users stop and think before jailbreaking their phone.