Comments on: Jailbroken, Installed SSH, Didn't Change Password? New Attack Aims to Steal Your Data

By: ara

ara — Wed, 20 Jan 2010 14:45:24 +0000

i jailbroke my phone using pwnage tool just last night and i read this today. i tried changing my root password and the default password doesn't work. what should i do? am i in risk of getting hacked? how can i get rid of it? should i re-jailbreak my phone again?

By: Mange

Mange — Fri, 13 Nov 2009 16:13:05 +0000

To late. This was posted on my blog several weeks ago. Cool that the Iphone blog finally catches up.

By: icebike

icebike — Thu, 12 Nov 2009 20:58:34 +0000

@Oliver Haslam:

The link you posted is only part of the story. If people dont read the feed-back postings on that page they miss half the problem and only end up changing the user account leaving root wide open.

Why not revise the posting to make that PERFECTLY clear. Not everyone wades thru the comments.

By: paul

paul — Thu, 12 Nov 2009 20:36:38 +0000

I can install it thru Rock but it just crashes when launched??

By: paul

paul — Thu, 12 Nov 2009 20:35:05 +0000

How can I change my root password since mobile terminal does not work thru "rock your phone" and 3.1.2 do I need to install cydia....or is there some other way?? Thanks

By: billythekid

billythekid — Thu, 12 Nov 2009 20:32:27 +0000

Now that sounds like the real ron jeremy.

By: RON JEREMY

RON JEREMY — Thu, 12 Nov 2009 20:28:02 +0000

Ron Jeremy the real Ron Jeremy says your to late copycat. But imitators still proves Ron Jeremy is loved. Eat a _____ straight up with cheese copycat.

By: Oliver Haslam

Oliver Haslam — Thu, 12 Nov 2009 19:56:06 +0000

I've got a guide for changing your SSH password on my site, the link in the post didn't work for me just now so thought I'd link here

http://www.the-iblog.com/2008/11/24/tip-change-your-iphones-ssh-password/

By: DumbutT

DumbutT — Thu, 12 Nov 2009 18:14:53 +0000

So if JB and no SSH no need to set a pass key if we do does it matter when it activates? Immidiatley or 5min later ?

By: Gino from the Bronx

Gino from the Bronx — Thu, 12 Nov 2009 17:38:41 +0000

I just changed my password.. Thanks iPhone blog!

By: tys

tys — Thu, 12 Nov 2009 17:27:48 +0000

Do we need to change both "root" and "mobile" passwords as Wesley suggests? All the tutorials I've seen seem only to be concerned with the root password. How do I change the mobile password? Since apple never intended for us to change these passwords, will changing them cause any problems with official apps and iTunes syncing? I never installed SSH, but I'm paranoid!

By: Wesley

Wesley — Thu, 12 Nov 2009 15:28:07 +0000

You should manually install OpenSSH.

And never forget that there is "root" and "mobile" users, both with the same default password. The mobile user wouldn't create a mess on your system but could easily delete data like contacts, calendars, and read almost everything.

By: Dyvim

Dyvim — Thu, 12 Nov 2009 15:25:37 +0000

Thanks for the answers above. I was pretty sure I was ok - just wanted to confirm since I'm no expert on J/B.

By: Tom

Tom — Thu, 12 Nov 2009 15:24:23 +0000

So I'm jailbroke, but did not install anything to do with SSH, which means I'm safe right? What would i have to do to install SSH? Is it a certain app in cydia/rock?

By: Wesley

Wesley — Thu, 12 Nov 2009 15:20:28 +0000

SSH on the iPhone has this password since OS 1, I don't understand what took so long for these exploits to be created AND WHY NOBODY CHANGED THE OPENSSH INSTALL TO SOMEHOW ASK FOR A PASSWORD?

This kind of issue should even require a specific change on Cydia, but the risk makes this necessary.

By: iphone4idiots

iphone4idiots — Thu, 12 Nov 2009 15:15:54 +0000

@Tom

SSH is just allows you to connect to your iphone wirelessly. So you can add/change or delte files. I've used it a lot to get video files that I shot on my 3G with Cycorder from my iPhone and into iMovie.

Problem is if you don't change the default password from alpine you are wide open to hacking. It's really a easy fix though.

@Joost is correct too about just turning it off, but the better solution is just changing the password. So easy to do with Terminal. I did a video 3 months ago on it. Email me if you want the link since I don't think I'm allowed to post it here.

By: Bear

Bear — Thu, 12 Nov 2009 15:11:49 +0000

If you don't jailbreak, or do jailbreak Nd don't install ssh you're safe. If you do install jailbreak and do change superuser password, you're safe.

You are only vulnerable if you jailbreak, install ssh and leave root password as "alpine".

I suppose you might be safe if you don't change the root password but make sure to leave ssh disabled via SBSettings. But you should really change the password to be safe!

By: iphone4idiots

iphone4idiots — Thu, 12 Nov 2009 15:10:27 +0000

@Iain & @Dyvim

This is only an issue if you jailbroke, installed SSH and then did not change your default password on your iPhone (for both root and mobile I believe) from alpine to something else. Thus, you are both fine.

Frankly, this issue is getting way too much coverage. If you were smart enough to jailbreak (and we all know its not hard) then you certainly can change the password within 10 minutes. Those who don't ALMOST deserve what they get. The only problem is don't forget that when you re-jailbreak like with PwnageTool for 3.1.2 that you have to change password again. In fact, this should be added to the end of any jailbreak step-by step guide.

By: Tom

Tom — Thu, 12 Nov 2009 15:10:13 +0000

What exactly is SSH? Is it automatically enabled? I'm pretty confused by the whole thing...

By: Joost

Joost — Thu, 12 Nov 2009 15:08:42 +0000

Another option is to simply turn off SSH. SBSsettings has that option if you've installed it.

By: Dyvim

Dyvim — Thu, 12 Nov 2009 14:54:29 +0000

If you J/B with PwnageTool and don't install anything other than ultrasnow (I only J/B for the carrier unlock), then I should be fine because I've never installed or used SSH, right?

By: Iain 117

Iain 117 — Thu, 12 Nov 2009 14:51:44 +0000

Will this affect non J/B's? Or are you only in trouble if you're J/B and leave the default pass for SSH?