Jailbroken, Installed SSH, Didn't Change Password? New Attack Aims to Steal Your Data

macbook_stop_jailbreak

So if you've jailbroken your iPhone, installed SSH, and still haven't changed your password from the default despite our previous warnings about Dutch Ransomers and Australian Rickrollers? Maybe you thought those were just funny (as seen in this video from iPhoneMVP)? Well now things have gotten more serious -- there's a new attack making the rounds that just plain steals your data.

Same method of attack, the bad guy scans the local network for insecure SSH on Jailbroken iPhones, and when it finds it, begins to copy your contacts, messages, email, events, photos, media, etc. This could, of course, include passwords, financial data, and those pics you never got around to deleting...

If you haven't already, go change your SSH password now. If you need help, go to the TiPb iPhone Forums and get it. Just secure your iPhone.

[Intego, thanks to everyone who sent this in]

Have something to say about this story? Share your comments below! Need help with something else? Submit your question!

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, Vector, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts

 

0
loading...
0
loading...
0
loading...
0
loading...

← Previously

RoboForm Password Manager for iPhone

Next up →

The Competition: Palm Pixi Gets Reviewed

Reader comments

Jailbroken, Installed SSH, Didn't Change Password? New Attack Aims to Steal Your Data

22 Comments

Will this affect non J/B's? Or are you only in trouble if you're J/B and leave the default pass for SSH?

If you J/B with PwnageTool and don't install anything other than ultrasnow (I only J/B for the carrier unlock), then I should be fine because I've never installed or used SSH, right?

What exactly is SSH? Is it automatically enabled? I'm pretty confused by the whole thing...

@Iain & @Dyvim
This is only an issue if you jailbroke, installed SSH and then did not change your default password on your iPhone (for both root and mobile I believe) from alpine to something else. Thus, you are both fine.
Frankly, this issue is getting way too much coverage. If you were smart enough to jailbreak (and we all know its not hard) then you certainly can change the password within 10 minutes. Those who don't ALMOST deserve what they get. The only problem is don't forget that when you re-jailbreak like with PwnageTool for 3.1.2 that you have to change password again. In fact, this should be added to the end of any jailbreak step-by step guide.

If you don't jailbreak, or do jailbreak Nd don't install ssh you're safe. If you do install jailbreak and do change superuser password, you're safe.
You are only vulnerable if you jailbreak, install ssh and leave root password as "alpine".
I suppose you might be safe if you don't change the root password but make sure to leave ssh disabled via SBSettings. But you should really change the password to be safe!

@Tom
SSH is just allows you to connect to your iphone wirelessly. So you can add/change or delte files. I've used it a lot to get video files that I shot on my 3G with Cycorder from my iPhone and into iMovie.
Problem is if you don't change the default password from alpine you are wide open to hacking. It's really a easy fix though.
@Joost is correct too about just turning it off, but the better solution is just changing the password. So easy to do with Terminal. I did a video 3 months ago on it. Email me if you want the link since I don't think I'm allowed to post it here.

SSH on the iPhone has this password since OS 1, I don't understand what took so long for these exploits to be created AND WHY NOBODY CHANGED THE OPENSSH INSTALL TO SOMEHOW ASK FOR A PASSWORD?
This kind of issue should even require a specific change on Cydia, but the risk makes this necessary.

So I'm jailbroke, but did not install anything to do with SSH, which means I'm safe right? What would i have to do to install SSH? Is it a certain app in cydia/rock?

Thanks for the answers above. I was pretty sure I was ok - just wanted to confirm since I'm no expert on J/B.

You should manually install OpenSSH.
And never forget that there is "root" and "mobile" users, both with the same default password. The mobile user wouldn't create a mess on your system but could easily delete data like contacts, calendars, and read almost everything.

Do we need to change both "root" and "mobile" passwords as Wesley suggests? All the tutorials I've seen seem only to be concerned with the root password. How do I change the mobile password? Since apple never intended for us to change these passwords, will changing them cause any problems with official apps and iTunes syncing?
I never installed SSH, but I'm paranoid!

So if JB and no SSH no need to set a pass key if we do does it matter when it activates? Immidiatley or 5min later ?

Ron Jeremy the real Ron Jeremy says your to late copycat. But imitators still proves Ron Jeremy is loved. Eat a _____ straight up with cheese copycat.

How can I change my root password since mobile terminal does not work thru "rock your phone" and 3.1.2 do I need to install cydia....or is there some other way?? Thanks

@Oliver Haslam:
The link you posted is only part of the story. If people dont read the feed-back postings on that page they miss half the problem and only end up changing the user account leaving root wide open.
Why not revise the posting to make that PERFECTLY clear. Not everyone wades thru the comments.

To late.
This was posted on my blog several weeks ago.
Cool that the Iphone blog finally catches up.

i jailbroke my phone using pwnage tool just last night and i read this today. i tried changing my root password and the default password doesn't work. what should i do? am i in risk of getting hacked? how can i get rid of it? should i re-jailbreak my phone again?