iPhone Hacks And Security Risks: Whaddya Know, Apple Was Serious

Back in September 2007, Apple warned iPhone owners not to jailbreak and carrier-unlock their handsets, citing the potential for permanent inoperability that might result and noting that such damage would not be covered by warranty protection. Since then, the company has regularly repeated such statements, expanding them to include the potential for security breaches to networks on which the jailbroken iPhone (or iPod touch, for that matter) was operating. And as regular readers already know, I chose to ignore those warnings a few months ago.

In retrospect, my nonchalance wasn’t wise (particularly since it’s reminiscent of past situations). My T-Mobile-enabled iPhone 3G is still running iPhone firmware v3.01, since jailbreak software for the latest-generation v3.12 firmware only recently became available. And I haven’t enabled the jailbroken operating system’s SSH server capabilities via the OpenSSH software available from Cydia. Nonetheless, I was very concerned when I learned the other day that a worm had been developed which exploits the ‘alpine’ default mobile (user) and root passwords used by the iPhone’s variant of Mac OS X.

The technique used by the worm developer is pretty clever. A compromised iPhone randomly polls IP addresses on its network; when it finds other jailbroken handsets with SSH enabled and the default password still in place, it installs itself on them (and ironically then helpfully disables inbound SSH capabilities); the worm subsequently spreads. This initial variant of the malware is fairly innocuous; all that it does is change the handset’s screen wallpaper to an image of a particularly annoying 80’s musician. But since the source code has been published, I think you can imagine how it could be adapted for far more nefarious purposes.

As I said above, I don’t have SSH enabled. Nonetheless, I went ahead and changed the mobile and root accounts’ common password, since SSH is conceivably not the only way that someone might attempt to gain control of my handset going forward. I followed these instructions, installing the MobileTerminal application in the process. Another set of instructions I subsequently found gives more detailed information on installing MobileTerminal.

Again, this particular issue only applies to jailbroken iPhones. Nonetheless, the open source nature of both the code that was circumvented and the code used to do the circumvention reminds me of a diatribe I wrote 2.5 years back. To be fair, users are encouraged to change the default operating system passwords as part of the OpenSSH installation, but I’d lean towards the even stronger step of making password update a flat-out requirement. More generally, this situation is a reminder of the inherent weakness of open source software; it’s open to inspection by both friendly and unfriendly coders. Therefore, if you employ open-source software in your designs, you’re responsible for keeping it up-to-date as a response to any vulnerabilities discovered in it, even after the system is purchased by an end customer.