Jailbroken, Installed SSH, Didn't Change Password? New Attack Aims to Steal Your Data

By last updated

So if you've jailbroken your iPhone, installed SSH, and still haven't changed your password from the default despite our previous warnings about Dutch Ransomers and Australian Rickrollers? Maybe you thought those were just funny (as seen in this video from iPhoneMVP)? Well now things have gotten more serious -- there's a new attack making the rounds that just plain steals your data.

Same method of attack, the bad guy scans the local network for insecure SSH on Jailbroken iPhones, and when it finds it, begins to copy your contacts, messages, email, events, photos, media, etc. This could, of course, include passwords, financial data, and those pics you never got around to deleting...

If you haven't already, go change your SSH password now. If you need help, go to the TiPb iPhone Forums and get it. Just secure your iPhone.

[Intego (opens in new tab), thanks to everyone who sent this in]

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
22 Comments
  • Will this affect non J/B's? Or are you only in trouble if you're J/B and leave the default pass for SSH?
  • If you J/B with PwnageTool and don't install anything other than ultrasnow (I only J/B for the carrier unlock), then I should be fine because I've never installed or used SSH, right?
  • Another option is to simply turn off SSH. SBSsettings has that option if you've installed it.
  • What exactly is SSH? Is it automatically enabled? I'm pretty confused by the whole thing...
  • @Iain & @Dyvim
    This is only an issue if you jailbroke, installed SSH and then did not change your default password on your iPhone (for both root and mobile I believe) from alpine to something else. Thus, you are both fine.
    Frankly, this issue is getting way too much coverage. If you were smart enough to jailbreak (and we all know its not hard) then you certainly can change the password within 10 minutes. Those who don't ALMOST deserve what they get. The only problem is don't forget that when you re-jailbreak like with PwnageTool for 3.1.2 that you have to change password again. In fact, this should be added to the end of any jailbreak step-by step guide.
  • If you don't jailbreak, or do jailbreak Nd don't install ssh you're safe. If you do install jailbreak and do change superuser password, you're safe.
    You are only vulnerable if you jailbreak, install ssh and leave root password as "alpine".
    I suppose you might be safe if you don't change the root password but make sure to leave ssh disabled via SBSettings. But you should really change the password to be safe!
  • @Tom
    SSH is just allows you to connect to your iphone wirelessly. So you can add/change or delte files. I've used it a lot to get video files that I shot on my 3G with Cycorder from my iPhone and into iMovie.
    Problem is if you don't change the default password from alpine you are wide open to hacking. It's really a easy fix though.
    @Joost is correct too about just turning it off, but the better solution is just changing the password. So easy to do with Terminal. I did a video 3 months ago on it. Email me if you want the link since I don't think I'm allowed to post it here.
  • SSH on the iPhone has this password since OS 1, I don't understand what took so long for these exploits to be created AND WHY NOBODY CHANGED THE OPENSSH INSTALL TO SOMEHOW ASK FOR A PASSWORD?
    This kind of issue should even require a specific change on Cydia, but the risk makes this necessary.
  • So I'm jailbroke, but did not install anything to do with SSH, which means I'm safe right? What would i have to do to install SSH? Is it a certain app in cydia/rock?
  • Thanks for the answers above. I was pretty sure I was ok - just wanted to confirm since I'm no expert on J/B.
  • You should manually install OpenSSH.
    And never forget that there is "root" and "mobile" users, both with the same default password. The mobile user wouldn't create a mess on your system but could easily delete data like contacts, calendars, and read almost everything.
  • Do we need to change both "root" and "mobile" passwords as Wesley suggests? All the tutorials I've seen seem only to be concerned with the root password. How do I change the mobile password? Since apple never intended for us to change these passwords, will changing them cause any problems with official apps and iTunes syncing?
    I never installed SSH, but I'm paranoid!
  • I just changed my password.. Thanks iPhone blog!
  • So if JB and no SSH no need to set a pass key if we do does it matter when it activates? Immidiatley or 5min later ?
  • I've got a guide for changing your SSH password on my site, the link in the post didn't work for me just now so thought I'd link here
    http://www.the-iblog.com/2008/11/24/tip-change-your-iphones-ssh-password/
  • Ron Jeremy the real Ron Jeremy says your to late copycat. But imitators still proves Ron Jeremy is loved. Eat a _____ straight up with cheese copycat.
  • Now that sounds like the real ron jeremy.
  • How can I change my root password since mobile terminal does not work thru "rock your phone" and 3.1.2 do I need to install cydia....or is there some other way?? Thanks
  • I can install it thru Rock but it just crashes when launched??
  • @Oliver Haslam:
    The link you posted is only part of the story. If people dont read the feed-back postings on that page they miss half the problem and only end up changing the user account leaving root wide open.
    Why not revise the posting to make that PERFECTLY clear. Not everyone wades thru the comments.
  • To late.
    This was posted on my blog several weeks ago.
    Cool that the Iphone blog finally catches up.
  • i jailbroke my phone using pwnage tool just last night and i read this today. i tried changing my root password and the default password doesn't work. what should i do? am i in risk of getting hacked? how can i get rid of it? should i re-jailbreak my phone again?