What lessons can be learned from the iPhone worms?
Word spread quickly earlier this week when the first known worms targeting the Apple iPhone surfaced days apart in Australia and the Netherlands. Neither inflicts serious harm on devices — though perhaps the Australian "Ikee" worm is guilty of crimes against good taste, as it swaps out the iPhone's wallpaper for a vintage photo of Rick Astley. The events are notable, however, because they only affect jailbroken iPhones, raising questions over whether the iPhone jailbreaking community behaves responsibly when it frees the devices from Apple's factory restrictions.
Ikee was created on November 4 by Ashley Towns, a programmer from Wollongong, Australia. The worm propagates by scanning IP ranges in the blocks used by the iPhone's Australian carrier, checking for iPhone OS fingerprints, and looking for a running SSH daemon on any iPhones it finds. Because all iPhones ship from the factory with the same default root password, "alpine", the worm can connect, copy itself over to the new device, install its signature wallpaper, and repeat. Ikee also deactivates SSHd on the host phone as part of its payload, but it does not change the root password. Thus, restarting SSH makes the phone vulnerable to reinfection.
It attracted considerably less public attention than Ikee, but on November 2, a worm surfaced in the Netherlands using the exact same attack vector: IP range scanning of the approved 3G carrier, OS fingerprinting, and connecting via SSH using the default password. The Dutch worm lacked the campy sensibility of Ikee; rather than Rickrolling the iPhone's wallpaper, it popped-up a message telling the user that the iPhone was insecure and asking €4.95 for instructions on how to secure it. That same day, however, the author changed his mind and posted both an apology and free instructions for securing the phone on the web site to which the worm pointed its victims.
Jailbreaks are risky. Much like in real life.
"Jailbreaking" refers to hacks that enable full access to the iPhone's operating system, and is distinct from SIM unlocking, which removes carrier-restrictions that limit the device to registering on only approved 3G networks. The iPhone has multiple layers of security built into the OS, including everything from boot loader restrictions to application code signing. The term "jailbreak" originates from the fact that all iPhone applications run inside a chroot jail; when connecting the iPhone to a Mac or PC only the contents of the chroot jail are accessed by the iTunes application for installing and removing media content and applications.
Consequently, breaking out of the chroot jail is required to perform any real OS customization, and the popular jailbreaking utilities set up niceties that most hackers will expect on a Unix-like system like OS X. That includes SSH, which obviates the need to keep the phone attached to a PC by cable while working on it.
It is Apple's decision to ship all models of its iPhone with the same root password — a tactic common to embedded device makers, if not particularly secure. The point of debate is whether the security hole left open by the combination of a default root password and a running SSH daemon is Apple's fault, the jailbreaking tool authors', or simply the users'.
Searching for solutions
Changing the password is simple enough; should PwnageTool, PurpleRa1n, and the other jailbreak utilities do so upon installation, either by automatically generating a new password or by prompting the user? An Australian blogger who interviewed Towns about Ikee thinks so; he posted an opinion piece following up on the interview in which he asks the jailbreaking tool developers to to do just that.
From reading the various news sites' discussions, it is clear that plenty of others disagree, noting that the responsibility for securing the device stops with the end user. But is there any substantial risk to changing the root password on the device, when measured against the risks of a default password exploit? Default password exploits are well-known enough that most end-user applications have moved away from them; other than the fact that the iPhone is an embedded system, why should it be measured by different standards than a desktop or server, or for that matter, a PayPal account?
For comparison's sake, Android phones do not include a password-enabled root account, and although changing this is well-documented, it is a complicated process even for the comparatively unlocked Android Dev Phone 1. Similarly, installing a working SSH daemon is not a straightforward process even on a rooted phone. On the other hand, Maemo offers OpenSSH (both client and server) as a one-click install, but installing it automatically prompts the user to change the root password from its default.
ComputerWorld's Robert McMillan speculates that Apple cares little about the issue — jailbroken phones are not covered by warranty, so there is no incentive for the company to close its part of the security hole by changing its root password policy. In fact, it may tacitly approve of the negative press generated around jailbreaking.
On the other hand, as the author of the Dutch worm put it,
"the way I got access to your iPhone can be used by thousands of
others. And they can send text messages from your number (like I did..),
use it to call (or record your calls), and actually whatever they want
[...]
" The next exploit taking advantage of the iPhone's default root
password may not require a jailbroken device. Apple will surely sit up and
take notice then. In the meantime, though, the question remains: should
the people who care about freeing a device from the factory's proprietary
lock-downs also care about putting it into a secure state once it is
free?
While some FOSS-based phones may not require jailbreaking — or
not enable SSHd as part of the process — there are warnings here for Google,
Nokia, Palm, and others. By forcing users to perform dodgy operations on
their phones, in order to enable the functionality they want, phone
makers may very well be putting those users at risk. Whether the
underlying code is open source or proprietary doesn't alter that risk.
| Index entries for this article | |
|---|---|
| Security | Mobile phones |
| GuestArticles | Willis, Nathan |
Posted Nov 11, 2009 20:07 UTC (Wed)
by sourcejedi (guest, #45153)
[Link] (2 responses)
That said, I think the speculation on future attacks on un-broken iPhones, and Apples alledged responsibility for the security of jail-broken phones, is unfortunate FUD.
> other than the fact that the iPhone is an embedded system, why should it be measured by different standards
The reason here is that the iPhone doesn't use the root password for anything.
It's unfortunate, and yes, ideally they should have disabled it. Defense in depth is always a good thing. But unless they left a "sudo" binary (with suid root) lying around somewhere, I can't see how it has any real effect on the security of an un-broken iPhone.
> should PwnageTool, PurpleRa1n, and the other jailbreak utilities [change the root password] upon installation, either by automatically generating a new password or by prompting the user?
Yes, this should be a part of any process which enables remote root login on the iPhone.
If you can't make it safe automatically, don't distribute it. Definitions of safety may vary, but "enables remote root login using the default password" is not a good one :-).
> is there any substantial risk to changing the root password on the device
Probably yes. If you forget the new password, I assume it will be harder to regain control of your system. That's true of all systems, but the combination of an embedded system and vendor lockdown makes it rather more worrying than usual.
Here's one possible trick which might balance these issues:
DISCLAIMER: NOT TESTED AT ALL (AND DEFINITELY NOT ON AN IPHONE)
/etc/passwd
/etc/sshd/config
Login remotely using "admin". The system will call you "root". You should still be able to login locally using "root" and the default password.
DISCLAIMER: BASED ON YEARS-OLD MEMORIES OF A ONE-OFF HACK
Posted Nov 11, 2009 20:54 UTC (Wed)
by mosfet (guest, #45339)
[Link] (1 responses)
No Jailbreak Tool I know installs SSH by default. You have to download and install it afterwards.
> If you can't make it safe automatically, don't distribute it. Definitions of safety may vary, but "enables remote root login using the default password" is not a good one :-).
Indeed. The tool which installs SSH should check for the default password and ask for a new one. But IIRC it is only a .deb package without any frontend interaction.
Also I remember a warning about exactly this problem, when I played around with jailbreaks and ssh on the iPhone.
Posted Nov 11, 2009 22:23 UTC (Wed)
by sourcejedi (guest, #45153)
[Link]
Posted Nov 11, 2009 23:02 UTC (Wed)
by stefanor (subscriber, #32895)
[Link] (2 responses)
Is this an oddity that isn't seen elsewhere?
Posted Nov 11, 2009 23:32 UTC (Wed)
by ewan (guest, #5533)
[Link] (1 responses)
Posted Nov 11, 2009 23:45 UTC (Wed)
by drag (guest, #31333)
[Link]
But remember that the iPhone has Wifi capabilities and like most consumer
Posted Nov 11, 2009 23:52 UTC (Wed)
by lbt (subscriber, #29672)
[Link]
Yes.
As you note, Maemo is very responsible in this area and Mer (the community port that runs on older/other devices) takes security very seriously.
Personally I think it's irresponsible to release a package that opens up a network port and allows remote access to any account (never mind root) without offering adequate protection.
Moving on, it's interesting that the Maemo6 platform offers some very strong security features indeed - and they seem to be designed so they maintain (and permit) platform security even with a community modified kernel and applications - never mind a simple chroot jailbreak.
Posted Nov 12, 2009 3:42 UTC (Thu)
by pr1268 (guest, #24648)
[Link]
...though perhaps the Australian "Ikee" worm is guilty of crimes against good taste, as it swaps out the iPhone's wallpaper for a vintage photo of Rick Astley. Poor Rick Astley gets no respect these days... ;-)
Posted Nov 12, 2009 11:03 UTC (Thu)
by NAR (subscriber, #1313)
[Link] (2 responses)
On the other hand - default root password in 2009? Are they nuts?
Posted Nov 12, 2009 19:49 UTC (Thu)
by dariush (guest, #39924)
[Link] (1 responses)
Is the root account accessible in any way on an unmodified phone for someone knowing the password? If not, then I don't see how changing the password would improve security.
Of course, going the extra mile and securing against attacks which even theoretically should be impossible (within the security design of the device) is hardly a bad idea. If only since it may help mitigate currently unfeasible attacks in the future.
But if the security design of the iPhone isn't depending the strongness of the root password, then I can understand why Apple never bothered to change it.
cheers
Posted Nov 12, 2009 22:03 UTC (Thu)
by NAR (subscriber, #1313)
[Link]
If they don't have such checklist or it doesn't contain "are there any default passwords on the system?" or they don't care - that doesn't look well for their other products. I don't think it would be that complicated to not have a root password, so it wouldn't be possible to login at all as root.
Posted Nov 12, 2009 12:50 UTC (Thu)
by madhatter (subscriber, #4665)
[Link] (1 responses)
so you have to run a cable to the phone to use this attack method.
Posted Nov 14, 2009 1:12 UTC (Sat)
by giraffedata (guest, #1954)
[Link]
Posted Nov 12, 2009 14:05 UTC (Thu)
by daniels (subscriber, #16193)
[Link] (1 responses)
Posted Nov 12, 2009 15:43 UTC (Thu)
by n8willis (subscriber, #43041)
[Link]
Nate
What lessons can be learned from the iPhone worms?
root:x:0:...
admin:x:0:...
DenyUsers root
What lessons can be learned from the iPhone worms?
>
> Yes, this should be a part of any process which enables remote root login on the iPhone.
What lessons can be learned from the iPhone worms?
Network-wide firewalled Incoming Connections?
Network-wide firewalled Incoming Connections?
Network-wide firewalled Incoming Connections?
server.
mobile devices it will probably happily latch itself to any network that
presents itself to the phone.
What lessons can be learned from the iPhone worms?
What lessons can be learned from the iPhone worms?
This is an interesting story. From one point of view, people played with fire and got burn - what's the problem? I mean it's like somebody modified his car, added some extra horsepower (without upgrading the breaks), then crashed in the first corner - I can't really feel sorry for them. There is a reason one can't drive anything on public roads.
What lessons can be learned from the iPhone worms?
What lessons can be learned from the iPhone worms?
Dariush
What lessons can be learned from the iPhone worms?
What lessons can be learned from the iPhone worms?
No password (assuming you mean you can log in without a password) makes more sense than default password. No password has the benefit of making it easier for authorized users to use, at the cost of increasing the chance of an unauthorized access (it's increased because there's always the possibility that the engineers overlooked some other method of running a login program). Default password just makes it harder for the authorized person while not slowing down the hacker at all.
What lessons can be learned from the iPhone worms?
What lessons can be learned from the iPhone worms?
What lessons can be learned from the iPhone worms?