Warning: iPhone exploit in the wild and stealing user data

happygeek 2 Tallied Votes 2K Views Share

Over the weekend news broke that a worm had started infecting Jailbroken iPhones in Australia. Nobody really took the exploit too seriously as all the 'ikee worm' did was change the phone wallpaper to a picture of 80's pop singer Rick Astley in a kind of warped tribute to the RickRolling Internet meme of last year.

However, I warned at the time that "as code variants continue to appear it is only a matter of time, and probably not that much of it, before a malicious party uses it to deliver a payload that is a whole lot more troublesome than Rick Astley" and my gloomy prediction has now borne fruit.

One researcher, Peter James of Mac security specialists Intego, has revealed that a new exploit is taking advantage of the same vulnerability that the ikee worm did, the often unchanged default SSH password of Jailbroken iPhones. iPhone/Privacy.A, as Intego have creatively named it, will allow hackers to "silently copy a treasure trove of user data from a compromised iPhone: e-mail, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app".

The hacker would first need to install the tool onto a computer which would then scan for any Jailbroken iPhones connected to the networks it discovers, and assuming that the root password has not been changed it can then quietly go about its business. Although there is a chance of the thing being installed on a computer in shop, for example, and scanning for devices within range as people mill about, the actual overall risk is pretty low.

For a start it requires a Jailbroken device, either iPhone or iTouch, and it is estimated that something less than 10% have actually been modified in this way. Although this does mean a couple of million or so devices at risk, you also have to bear in mind that many of those who have gone through the Jailbreak process will be of a technical mindset. Exactly the people who read the newsfeeds, who frequent forums such as DaniWeb, who will be all to aware of ikee and the need to change the default SSH root password. All of the time the number of devices that are at risk is being reduced.

So perhaps the 75% of people who took part in a Sophos poll which asked if the ikee worm author had done iPhone users a favour by alerting them to a significant problem in a harmless way and agreed that he had were right after all. Better to get a grinning pop star on your iPhone as a wake up call to a vulnerability than have your data stolen right off the bat. That said, the ikee worm also alerted the bad guys to the vulnerability and it has not taken them long to get right out there and exploit it.

Personally I would have preferred it if the ikee chap had approached Apple with the discovery and let them get it patched before going public. That kind of disclosure is the responsible way to do it and, assuming that Apple acted quickly enough, the problem could have been corrected without any data stealing tools or faded singers being involved. Of course, Apple might say that if you breach the terms and conditions of usage of your hardware device by modifying it in this way then you deserve everything you get.

Certainly, as far as the Apple campaign against Jailbreaking goes this kind of bad publicity is actually pretty good for the company. It can, quite rightly, proclaim that legitimate users have nothing to fear and warn that the security risk is just one more reason that they should not be tempted down the Jailbreak road.

That said, some researchers are also warning that non-Jailbroken iPhones could be compromised if the bad guys look away from this particular access route and start exploiting other avenues such as the SMS hacking trick revealed at Black Hat earlier in the year.

kurtharriger 0 Newbie Poster

SSH is not automatically installed simply by jailbreaking your phone. It is an app available in the cydia app store that makes your phone listen for incoming ssh connections. Now it would probably better if the software would generate a new random default password during installation, but the software is doing exactly what it is designed to do -- enabling access to the system internals via ssh connection. It would be like installing an application on your home computer that shares your web cam feed over the internet with a changeable default password of "alpine" and then complaining about privacy violations when you discover someone else on the internet has been watching your feed.

Apple shouldn't need to do anything in this case, if you jailbreak your phone and install an application that enables incomming ssh connections then that is entirely the users fault as Apple already discourages the practice.

On the other hand, you don't need to jailbreak your phone to have user data stolen. You can just install one of the free storm8 games from the app store, which I did at one time. Unlike above this is not the advertised purpose of the application. In this case however I think maybe Apple should have notified me that software they approved for use on my device may have been stealing my personal information, but they didn't.
http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.