Wednesday, November 11, 2009

Info Stealer targets Jailbroken iPhones

A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!

A new Trojan has been spotted employing the very same technique employed by the ikee worm to break into jailbroken iPhones. It scans a network (a home, office, or public wifi network would suffice) for the presence of jailbroken iPhones still running SSH. Enabling SSH is a common step in jailbreaking as these allows the user to login to the phone remotely and execute shell commands. And, as should be common knowledge by now, all iPhones have the same default root password that users neglect to change after jailbreaking them.

What this new Trojan lacks in originality of technique, however, it more than makes up for with a more vicious payload. Whereas the ikee worm contents itself with changing the iPhone wallpaper, this new Trojan will steal data from compromised devices! This means all SMS and contacts list stored in vulnerable phones are up for grabs!

While these new iPhone malwares are breaking news, we should realize that the SSH vulnerability it exploits is really nothing new. It has been there ever since the first jailbroken iPhone. In fact, before ikee, Ars Technica ran an article article on their site about a ‘ransomware’ spreading in the Netherlands. It scans networks for iPhones with SSH enabled, then sends the owners the following SMS message:

When you visit his site, he then charges you €5 for instructions on how to secure your phone, information that is actually available to anyone for free.

So lets all learn the lesson here. First, there are very real risks to jailbreaking. Second, and more important, never use default passwords, whether for your combination locks at home or for your digital devices.