Comments on: 1st Self-Perpetuating iPhone Worm – a Jailbreak coming of Astley story http://www.touchmyapps.com/2009/11/09/1st-self-perpetuating-iphone-worm/ All Things iPhone for those who like to Touch. App reviews, News, New Apps and Price Drops. Updated Daily Thu, 11 Mar 2010 23:29:16 +0000 http://wordpress.org/?v=2.9 hourly 1 By: shigzeohttp://www.touchmyapps.com/2009/11/09/1st-self-perpetuating-iphone-worm/comment-page-1/#comment-18720 shigzeo Tue, 10 Nov 2009 03:33:07 +0000 http://www.touchmyapps.com/?p=22855#comment-18720 Great comment Zane. My first iPod touch spent all of its days (till I sold it in 2008) Jailbreaked and the first thing I did was change the password. The problem of course (and as you agree on) is that users don't change the defaults. It takes a few seconds more, but as we see with Astely, it would mean the absence of a self-perpetuating software. Great comment Zane. My first iPod touch spent all of its days (till I sold it in 2008) Jailbreaked and the first thing I did was change the password. The problem of course (and as you agree on) is that users don’t change the defaults. It takes a few seconds more, but as we see with Astely, it would mean the absence of a self-perpetuating software.

]]> By: Zanehttp://www.touchmyapps.com/2009/11/09/1st-self-perpetuating-iphone-worm/comment-page-1/#comment-18688 Zane Mon, 09 Nov 2009 23:09:38 +0000 http://www.touchmyapps.com/?p=22855#comment-18688 So the inevitable has finally happened… Someone has finally decided to take simple user oversight and turn it into something potentially malicious. True the iD10t'S should have changed the lame default password, but it's common knowledge most end users are ignorant of basic security principles.The "scene" can't be held responsible for blatent user error. Perhaps tools like PwnageTool could in theory force a user to set a password and use their choice to build a passwd/shadow files from their choice through say a script built into the IPSW set to launch on boot fix the password and selfdestruct. That might be a stop-gap solution to prevent so many jailbroken devices from running SSH with a default passwd. Or perhaps SSH can itself check the signature of the passwd/shadow files and if it matches the default password simply refuse to run until the user changes it, since I'm fairly certain every device no matter the model even should have the identical HASH/SALT. Considering they are all basically clones, unless the default pass stuff gets generated on the fly during a restore or after the first boot after a restore.In any case anyone who is willing to take the time to jailbreak should take the extra 30sec to change the passwords of both root and mobile so bullshit like this can't wipe out their phones. And maybe the scene could build in some stuff to force users to change the passwords but seriously it's not their job or responsibility and probably wouldn't do a whole lot of good in the long run anyway… So the inevitable has finally happened… Someone has finally decided to take simple user oversight and turn it into something potentially malicious. True the iD10t’S should have changed the lame default password, but it’s common knowledge most end users are ignorant of basic security principles.

The “scene” can’t be held responsible for blatent user error. Perhaps tools like PwnageTool could in theory force a user to set a password and use their choice to build a passwd/shadow files from their choice through say a script built into the IPSW set to launch on boot fix the password and selfdestruct. That might be a stop-gap solution to prevent so many jailbroken devices from running SSH with a default passwd. Or perhaps SSH can itself check the signature of the passwd/shadow files and if it matches the default password simply refuse to run until the user changes it, since I’m fairly certain every device no matter the model even should have the identical HASH/SALT. Considering they are all basically clones, unless the default pass stuff gets generated on the fly during a restore or after the first boot after a restore.

In any case anyone who is willing to take the time to jailbreak should take the extra 30sec to change the passwords of both root and mobile so bullshit like this can’t wipe out their phones. And maybe the scene could build in some stuff to force users to change the passwords but seriously it’s not their job or responsibility and probably wouldn’t do a whole lot of good in the long run anyway…

]]>