Jailbroken, Installed SSH, Didn’t Change Password? New Attack Aims to Steal Your Data
So if you’ve jailbroken your iPhone, installed SSH, and still haven’t changed your password from the default despite our previous warnings about Dutch Ransomers and Australian Rickrollers? Maybe you thought those were just funny (as seen in this video from iPhoneMVP) and not worth worrying about? Well now things have gotten more serious — there’s a new attack making the rounds that just plain steals your data.
Same method of attack, the bad guy scans the local network for insecure SSH on Jailbroken iPhones, and when it finds it, begins to copy your contacts, messages, email, events, photos, media, etc. This could, of course, include passwords, financial data, and those pics you never got around to deleting…
If you haven’t already, go change your SSH password now. If you need help, go to the TiPb iPhone Forums and get it. Just secure your iPhone.
[Intego, thanks to everyone who sent this in]
November 12th, 2009 at 9:51 am
Will this affect non J/B’s? Or are you only in trouble if you’re J/B and leave the default pass for SSH?
November 12th, 2009 at 9:54 am
If you J/B with PwnageTool and don’t install anything other than ultrasnow (I only J/B for the carrier unlock), then I should be fine because I’ve never installed or used SSH, right?
November 12th, 2009 at 10:08 am
Another option is to simply turn off SSH. SBSsettings has that option if you’ve installed it.
November 12th, 2009 at 10:10 am
What exactly is SSH? Is it automatically enabled? I’m pretty confused by the whole thing…
November 12th, 2009 at 10:10 am
@Iain & @Dyvim
This is only an issue if you jailbroke, installed SSH and then did not change your default password on your iPhone (for both root and mobile I believe) from alpine to something else. Thus, you are both fine.
Frankly, this issue is getting way too much coverage. If you were smart enough to jailbreak (and we all know its not hard) then you certainly can change the password within 10 minutes. Those who don’t ALMOST deserve what they get. The only problem is don’t forget that when you re-jailbreak like with PwnageTool for 3.1.2 that you have to change password again. In fact, this should be added to the end of any jailbreak step-by step guide.
November 12th, 2009 at 10:11 am
If you don’t jailbreak, or do jailbreak Nd don’t install ssh you’re safe. If you do install jailbreak and do change superuser password, you’re safe.
You are only vulnerable if you jailbreak, install ssh and leave root password as “alpine”.
I suppose you might be safe if you don’t change the root password but make sure to leave ssh disabled via SBSettings. But you should really change the password to be safe!
November 12th, 2009 at 10:15 am
@Tom
SSH is just allows you to connect to your iphone wirelessly. So you can add/change or delte files. I’ve used it a lot to get video files that I shot on my 3G with Cycorder from my iPhone and into iMovie.
Problem is if you don’t change the default password from alpine you are wide open to hacking. It’s really a easy fix though.
@Joost is correct too about just turning it off, but the better solution is just changing the password. So easy to do with Terminal. I did a video 3 months ago on it. Email me if you want the link since I don’t think I’m allowed to post it here.
November 12th, 2009 at 10:20 am
SSH on the iPhone has this password since OS 1, I don’t understand what took so long for these exploits to be created AND WHY NOBODY CHANGED THE OPENSSH INSTALL TO SOMEHOW ASK FOR A PASSWORD?
This kind of issue should even require a specific change on Cydia, but the risk makes this necessary.
November 12th, 2009 at 10:24 am
So I’m jailbroke, but did not install anything to do with SSH, which means I’m safe right? What would i have to do to install SSH? Is it a certain app in cydia/rock?
November 12th, 2009 at 10:25 am
Thanks for the answers above. I was pretty sure I was ok – just wanted to confirm since I’m no expert on J/B.
November 12th, 2009 at 10:28 am
You should manually install OpenSSH.
And never forget that there is “root” and “mobile” users, both with the same default password. The mobile user wouldn’t create a mess on your system but could easily delete data like contacts, calendars, and read almost everything.
November 12th, 2009 at 12:15 pm
RON JEREMY says…
I’m a douche nozzle
November 12th, 2009 at 12:27 pm
Do we need to change both “root” and “mobile” passwords as Wesley suggests? All the tutorials I’ve seen seem only to be concerned with the root password. How do I change the mobile password? Since apple never intended for us to change these passwords, will changing them cause any problems with official apps and iTunes syncing? I never installed SSH, but I’m paranoid!
November 12th, 2009 at 12:38 pm
I just changed my password.. Thanks iPhone blog!
November 12th, 2009 at 1:14 pm
So if JB and no SSH no need to set a pass key if we do does it matter when it activates? Immidiatley or 5min later ?
November 12th, 2009 at 2:56 pm
I’ve got a guide for changing your SSH password on my site, the link in the post didn’t work for me just now so thought I’d link here
http://www.the-iblog.com/2008/11/24/tip-change-your-iphones-ssh-password/
November 12th, 2009 at 3:28 pm
Ron Jeremy the real Ron Jeremy says your to late copycat. But imitators still proves Ron Jeremy is loved. Eat a _____ straight up with cheese copycat.
November 12th, 2009 at 3:32 pm
Now that sounds like the real ron jeremy.
November 12th, 2009 at 3:35 pm
How can I change my root password since mobile terminal does not work thru “rock your phone” and 3.1.2 do I need to install cydia….or is there some other way?? Thanks
November 12th, 2009 at 3:36 pm
I can install it thru Rock but it just crashes when launched??
November 12th, 2009 at 3:58 pm
@Oliver Haslam:
The link you posted is only part of the story. If people dont read the feed-back postings on that page they miss half the problem and only end up changing the user account leaving root wide open.
Why not revise the posting to make that PERFECTLY clear. Not everyone wades thru the comments.
November 13th, 2009 at 11:13 am
To late. This was posted on my blog several weeks ago. Cool that the Iphone blog finally catches up.