Monday, November 9, 2009

iPhone "Worm"

Many sources are reporting on the existence of an iPhone "Worm" that RickRolls the phone's user. Harmless, but troublesome.

It should be noted, however, that this isn't exploiting a known security hole in the iPhone, but rather is a side-effect of one-button JailBreaking. By packing up the JailBreak process so that anybody can do it, regardless of their level of technical knowledge, the JailBreak community has handed less technically adept people a loaded gun that they've never been trained to use. People in the jailbreak community know enough to change the default password used by their jailbroken phone's SSH server, but many of the less-technically adept people who have used Quick-PWN and other JailBreaking tools do not. Some of them likely don't even know what SSH is.

This time, people are only shooting themselves in the foot. Next time, it could be the head. Next time, it could impact all of us. Instead of a RickRoll, it could be a DDOS attack that degrades AT&T's already horrid network.

if you're going to jailbreak your phone (and personally, I would rather you didn't), it's your responsibility to make sure you understand the risks you are taking by doing so, and that you take reasonable steps to secure your phone. If you don't know enough to do that, leave your phone the frack alone.

I fully expect Apple to redouble their efforts to prevent JailBreaking and, you know what? It's perfectly understandable. The idea of a totally open and unrestricted device is great, in theory. It would be great if all the people with those open and unrestricted devices were all technically adept super-users or developers. When you throw less-techical people into the mix with a device that's always connected to a shared network, the theory falls apart. Simply put, most people should have a locked-down phone, and it has nothing to do with wanting to restrict what you can do with your device, it has to do with making sure the rest of us are able to use ours.


Joel Bernstein said...

Well they have to jailbreak their device, purposefully seek out and install the OpenSSH package, and then forget to change their root password.

I can't imagine the number of people tech savvy enough to accomplish the first two tasks, but not the third, would be very high.s

Jeff LaMarche said...


SSH gets installed as part of the jailbreak process. It's a necessary component, and included in the one-button jailbreak tools.

If you had to compile OpenSSH from source, I'd agree that the bar would get raised, but it's not the case. Every jailbreak phone needs to have SSH, and not every one of the 5 million jailbreakers are that tech savvy.


Heath said...

Maybe AT&T could create explicit network ToS, and start banning people when they violate it. How is a cell network more difficult to administer than my cable network?

LinkMx said...

Actually SSH is not installed by default, at least with PwnageTool.

Elai said...

Maybe long ago in a pre 2.0 jailbreaking, ssh was part of the process. But ever since 2.0+ jailbreaking methods, SSH is definately not installed by default. Users have to install it on purpose, search for it, and know what it is.