1st Self-Perpetuating iPhone Worm – a Jailbreak coming of Astley story


Thanks to the insecurity of a majority of the Jailbreaked community, Rick Astley is Rick Rolling Australian iPhones. The worm, dubbed Ikee does more than photocopy a goeey mug of the smooth and sexy singer; it safaris itself around local networks, looking for other infectable iPhones to plaster. Fortunately, the backdoor which Astley steals in from is most likely user error: Apple’s root password ‘alpine’ (which is needed to SSH into the device), is the same on every iDevice. Jailbreaked users can change it to anything which, like Rick, may tickle their fancy, but the onus is on the user, not Apple. Security firm, Sophos, are blogging about it right now, riding high on raging (and humorous) whuffie spawned by clever forum users.

[via CNET UK]

  • Zane

    So the inevitable has finally happened… Someone has finally decided to take simple user oversight and turn it into something potentially malicious. True the iD10t’S should have changed the lame default password, but it’s common knowledge most end users are ignorant of basic security principles.

    The “scene” can’t be held responsible for blatent user error. Perhaps tools like PwnageTool could in theory force a user to set a password and use their choice to build a passwd/shadow files from their choice through say a script built into the IPSW set to launch on boot fix the password and selfdestruct. That might be a stop-gap solution to prevent so many jailbroken devices from running SSH with a default passwd. Or perhaps SSH can itself check the signature of the passwd/shadow files and if it matches the default password simply refuse to run until the user changes it, since I’m fairly certain every device no matter the model even should have the identical HASH/SALT. Considering they are all basically clones, unless the default pass stuff gets generated on the fly during a restore or after the first boot after a restore.

    In any case anyone who is willing to take the time to jailbreak should take the extra 30sec to change the passwords of both root and mobile so bullshit like this can’t wipe out their phones. And maybe the scene could build in some stuff to force users to change the passwords but seriously it’s not their job or responsibility and probably wouldn’t do a whole lot of good in the long run anyway…

  • Great comment Zane. My first iPod touch spent all of its days (till I sold it in 2008) Jailbreaked and the first thing I did was change the password. The problem of course (and as you agree on) is that users don’t change the defaults. It takes a few seconds more, but as we see with Astely, it would mean the absence of a self-perpetuating software.

Next ArticleXewton Music Studio Promo Code Giveaway (bonanza)! - Closed