The web went aflame today with headlines like "First iPhone worm discovered", and many other variants. Most of those headlines, however, left out a very important little fact which diminishes the impact of the news considerably: it only affects jailbroken iPhones with SSH installed, and with default root passwords.
Post a Comment
Member since:
2006-01-02
Member since:
1997-10-01
I heard about this "iPhone virus" on BBC radio today, and I was wondering to myself "is this about the SSH default password vulnerability?" Surely, for the mainstream press to be touting this as an iPhone virus is sensationalism of the first order.
Though strictly speaking it is a virus, it's a benign virus that exploits an extremely obvious vulnerability that's open in a very small proportion of iPhone users.
That being said, I did go ahead and change my root password in my jailbroken iPhone today. I don't want to get Rickrolled. :-)
Member since:2007-09-22
Member since:
2008-08-19
Member since:2006-04-03
You don't have to be smart to Jailbreak an iPhone - 30 bucks and it's done - and you have to be incredibly dumb to install SSH and not change the root password. Those who've been affected need to go give themselves an uppercut.
As for the sensationalism, do we really expect anything else from the media? The same lot that tell us that everyone who dresses or looks or "acts" differently to "us" (whatever that means) is a terrorist, and we should lock our kids away in the house in front of the TV eating McDonalds because if we let them play outside they'll get sunburn and skin cancer then the perverts that are waiting behind every tree around the neighbourhood will snatch them away. If it wasn't for sensationalism they would be out of jobs - it's ALL they do...
Member since:2006-05-04
bull,
SSH utility for iPhone does not have command prompt to allow password change. One needs to install additional app or log in from computer.. which might be too late already.
First run of ssh in iPhone is useless if it does not allow to change password.
But what one would expect from the device that is not designed with security in the mind?
Maybe Apple should start paying more attention to security instead of worrying if application containing word iPhone (e.g. iPhone reference manual) will be admitted to Apple store or not.
Edited 2009-11-10 14:56 UTC
Member since:2009-11-10
...
But what one would expect from the device that is not designed with security in the mind?
What you have said is just profoundly silly. The SSH utility is a binary compiled and added by the jailbreakers. It's not something that comes with the iPhone nor shipped by Apple. The lack of an automatic way to change your password by default is completely the fault of the jailbreakers, not Apple.
Apple didn't provide any means for remote access so they certainly can't be faulted for not having "security in mind" if you hack in your own remote access tools and don't change the password.
That would be like faulting Honda for installing poor fire retardant materials in their cars after strapping your own homemade jet engine on the back. If the car explodes in a ball of flame due to your jet engine, it wouldn't be fair to then say that Honda doesn't design cars with safety in mind.
Member since:2006-05-04
nope:
symbian and blackberry require signed apps and don't give root access to most of the apps in contrast to iPhone.
If application does not allow password change, then root access should not be allowed.
As I said this is insecure device. Has nothing to do with crappy car comparison. Bad design is bad design.
Member since:2005-12-21
symbian and blackberry require signed apps and don't give root access to most of the apps in contrast to iPhone.
If application does not allow password change, then root access should not be allowed.
As I said this is insecure device. Has nothing to do with crappy car comparison. Bad design is bad design.
Really? What about hacked/jailbroken Symbian and Blackberry devices?
A non-jailbroken iPhone sandboxes apps and definitely does not give root access to them. It also code-signs all installed apps.
Of course you probably realise this, you're just being a moron.
Member since:2006-05-04
[quote]A non-jailbroken iPhone sandboxes apps and definitely does not give root access to them. It also code-signs all installed apps.[/quote]
you must be dreaming assuming nice theory with sad reality (number of security issues with iPhone is qute amazing)
what would be a point to jailbreak blackberry?
find similar security problems with blackberry (and tons more that are marketing signature of iPhone e.g. clear text passwords to encrypt device and so on)
iPhone is nice but jailbroken or not this is not secure device
and this is more recent nasty story:
http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-...
Member since:2005-12-21
you must be dreaming assuming nice theory with sad reality (number of security issues with iPhone is qute amazing)
No I'm not "dreaming assuming nice theory with sad reality" (whatever that means). I'm setting you straight on your claim that the iPhone does not codesign or sandbox its apps. I said nothing about any other possible iPhone security issues.
Oh I don't know. To run SSH on it maybe, like was done on the iPhone in the subject of this article?
Member since:2007-01-22
"symbian and blackberry require signed apps"
also
http://developer.android.com/guide/publishing/app-signing.html
Member since:2007-01-22
"Maybe Apple should start paying more attention to security instead of worrying if application containing word iPhone (e.g. iPhone reference manual) will be admitted to Apple store or not."
It's actually creating the problem. More and more iphone users (not hacker geek types) want to jailbreak just so they can get all the apps that Apple blocks.
Member since:
2005-07-06
Member since:
2006-02-22
Member since:
2006-01-01
Member since:2009-05-13
Member since:
2007-01-22