Weekly Edition
Return to the Security page
| |||||||||||||
What lessons can be learned from the iPhone worms?Word spread quickly earlier this week when the first known worms targeting the Apple iPhone surfaced days apart in Australia and the Netherlands. Neither inflicts serious harm on devices — though perhaps the Australian "Ikee" worm is guilty of crimes against good taste, as it swaps out the iPhone's wallpaper for a vintage photo of Rick Astley. The events are notable, however, because they only affect jailbroken iPhones, raising questions over whether the iPhone jailbreaking community behaves responsibly when it frees the devices from Apple's factory restrictions. Ikee was created on November 4 by Ashley Towns, a programmer from Wollongong, Australia. The worm propagates by scanning IP ranges in the blocks used by the iPhone's Australian carrier, checking for iPhone OS fingerprints, and looking for a running SSH daemon on any iPhones it finds. Because all iPhones ship from the factory with the same default root password, "alpine", the worm can connect, copy itself over to the new device, install its signature wallpaper, and repeat. Ikee also deactivates SSHd on the host phone as part of its payload, but it does not change the root password. Thus, restarting SSH makes the phone vulnerable to reinfection. It attracted considerably less public attention than Ikee, but on November 2, a worm surfaced in the Netherlands using the exact same attack vector: IP range scanning of the approved 3G carrier, OS fingerprinting, and connecting via SSH using the default password. The Dutch worm lacked the campy sensibility of Ikee; rather than Rickrolling the iPhone's wallpaper, it popped-up a message telling the user that the iPhone was insecure and asking €4.95 for instructions on how to secure it. That same day, however, the author changed his mind and posted both an apology and free instructions for securing the phone on the web site to which the worm pointed its victims. Jailbreaks are risky. Much like in real life."Jailbreaking" refers to hacks that enable full access to the iPhone's operating system, and is distinct from SIM unlocking, which removes carrier-restrictions that limit the device to registering on only approved 3G networks. The iPhone has multiple layers of security built into the OS, including everything from boot loader restrictions to application code signing. The term "jailbreak" originates from the fact that all iPhone applications run inside a chroot jail; when connecting the iPhone to a Mac or PC only the contents of the chroot jail are accessed by the iTunes application for installing and removing media content and applications. Consequently, breaking out of the chroot jail is required to perform any real OS customization, and the popular jailbreaking utilities set up niceties that most hackers will expect on a Unix-like system like OS X. That includes SSH, which obviates the need to keep the phone attached to a PC by cable while working on it. It is Apple's decision to ship all models of its iPhone with the same root password — a tactic common to embedded device makers, if not particularly secure. The point of debate is whether the security hole left open by the combination of a default root password and a running SSH daemon is Apple's fault, the jailbreaking tool authors', or simply the users'. Searching for solutionsChanging the password is simple enough; should PwnageTool, PurpleRa1n, and the other jailbreak utilities do so upon installation, either by automatically generating a new password or by prompting the user? An Australian blogger who interviewed Towns about Ikee thinks so; he posted an opinion piece following up on the interview in which he asks the jailbreaking tool developers to to do just that. From reading the various news sites' discussions, it is clear that plenty of others disagree, noting that the responsibility for securing the device stops with the end user. But is there any substantial risk to changing the root password on the device, when measured against the risks of a default password exploit? Default password exploits are well-known enough that most end-user applications have moved away from them; other than the fact that the iPhone is an embedded system, why should it be measured by different standards than a desktop or server, or for that matter, a PayPal account? For comparison's sake, Android phones do not include a password-enabled root account, and although changing this is well-documented, it is a complicated process even for the comparatively unlocked Android Dev Phone 1. Similarly, installing a working SSH daemon is not a straightforward process even on a rooted phone. On the other hand, Maemo offers OpenSSH (both client and server) as a one-click install, but installing it automatically prompts the user to change the root password from its default. ComputerWorld's Robert McMillan speculates that Apple cares little about the issue — jailbroken phones are not covered by warranty, so there is no incentive for the company to close its part of the security hole by changing its root password policy. In fact, it may tacitly approve of the negative press generated around jailbreaking. On the other hand, as the author of the Dutch worm put it, "the way I got access to your iPhone can be used by thousands of others. And they can send text messages from your number (like I did..), use it to call (or record your calls), and actually whatever they want [...]" The next exploit taking advantage of the iPhone's default root password may not require a jailbroken device. Apple will surely sit up and take notice then. In the meantime, though, the question remains: should the people who care about freeing a device from the factory's proprietary lock-downs also care about putting it into a secure state once it is free? While some FOSS-based phones may not require jailbreaking — or not enable SSHd as part of the process — there are warnings here for Google, Nokia, Palm, and others. By forcing users to perform dodgy operations on their phones, in order to enable the functionality they want, phone makers may very well be putting those users at risk. Whether the underlying code is open source or proprietary doesn't alter that risk. (Log in to post comments)
What lessons can be learned from the iPhone worms? Posted Nov 11, 2009 20:07 UTC (Wed) by sourcejedi (guest, #45153) [Link]
Good article. I am forced to agree that most of the questions you ask are valid. I have my own answers, but you give readers quite enough information to make up their own minds.
That said, I think the speculation on future attacks on un-broken iPhones, and Apples alledged responsibility for the security of jail-broken phones, is unfortunate FUD.
> other than the fact that the iPhone is an embedded system, why should it be measured by different standards
The reason here is that the iPhone doesn't use the root password for anything.
It's unfortunate, and yes, ideally they should have disabled it. Defense in depth is always a good thing. But unless they left a "sudo" binary (with suid root) lying around somewhere, I can't see how it has any real effect on the security of an un-broken iPhone.
> should PwnageTool, PurpleRa1n, and the other jailbreak utilities [change the root password] upon installation, either by automatically generating a new password or by prompting the user?
Yes, this should be a part of any process which enables remote root login on the iPhone.
If you can't make it safe automatically, don't distribute it. Definitions of safety may vary, but "enables remote root login using the default password" is not a good one :-).
> is there any substantial risk to changing the root password on the device
Probably yes. If you forget the new password, I assume it will be harder to regain control of your system. That's true of all systems, but the combination of an embedded system and vendor lockdown makes it rather more worrying than usual.
Here's one possible trick which might balance these issues:
DISCLAIMER: NOT TESTED AT ALL (AND DEFINITELY NOT ON AN IPHONE)
/etc/passwd
/etc/sshd/config
Login remotely using "admin". The system will call you "root". You should still be able to login locally using "root" and the default password.
DISCLAIMER: BASED ON YEARS-OLD MEMORIES OF A ONE-OFF HACK
What lessons can be learned from the iPhone worms? Posted Nov 11, 2009 20:54 UTC (Wed) by mosfet (guest, #45339) [Link]
> > should PwnageTool, PurpleRa1n, and the other jailbreak utilities [change the root password] upon installation, either by automatically generating a new password or by prompting the user?
> > Yes, this should be a part of any process which enables remote root login on the iPhone.
No Jailbreak Tool I know installs SSH by default. You have to download and install it afterwards.
> If you can't make it safe automatically, don't distribute it. Definitions of safety may vary, but "enables remote root login using the default password" is not a good one :-).
Indeed. The tool which installs SSH should check for the default password and ask for a new one. But IIRC it is only a .deb package without any frontend interaction.
Also I remember a warning about exactly this problem, when I played around with jailbreaks and ssh on the iPhone.
What lessons can be learned from the iPhone worms? Posted Nov 11, 2009 22:23 UTC (Wed) by sourcejedi (guest, #45153) [Link]
That's interesting. I thought PermitRootLogin was false by default, but I was wrong - both for upstream and the current Debian package. That makes it much more of a grey area.
Network-wide firewalled Incoming Connections? Posted Nov 11, 2009 23:02 UTC (Wed) by stefanor (subscriber, #32895) [Link]
How many cellphone networks allow incoming connections? In South Africa I only know of one that does, but you have to sign paperwork acknowledging that you'll be changed for traffic that's wasn't initiated by you before you can get access to that APN.
Is this an oddity that isn't seen elsewhere?
Network-wide firewalled Incoming Connections? Posted Nov 11, 2009 23:32 UTC (Wed) by ewan (subscriber, #5533) [Link]
It might be different if you're already inside the network. My understanding of one provider's 3G network is that it assigns everyone a 10.x.x.x private address, then has several layers of NAT to get to the outside world. That precludes any incoming connections from the internet, but it doesn't necessarily stop one device connecting to another internal to the 10.x.x.x network.
Network-wide firewalled Incoming Connections? Posted Nov 11, 2009 23:45 UTC (Wed) by drag (subscriber, #31333) [Link]
You could still have people reach you if your running a tunnel to a external
server.
But remember that the iPhone has Wifi capabilities and like most consumer
What lessons can be learned from the iPhone worms? Posted Nov 11, 2009 23:52 UTC (Wed) by lbt (subscriber, #29672) [Link]
>the question remains: should the people who care about freeing a device from the factory's proprietary lock-downs also care about putting it into a secure state once it is free?
Yes.
As you note, Maemo is very responsible in this area and Mer (the community port that runs on older/other devices) takes security very seriously.
Personally I think it's irresponsible to release a package that opens up a network port and allows remote access to any account (never mind root) without offering adequate protection.
Moving on, it's interesting that the Maemo6 platform offers some very strong security features indeed - and they seem to be designed so they maintain (and permit) platform security even with a community modified kernel and applications - never mind a simple chroot jailbreak.
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 3:42 UTC (Thu) by pr1268 (subscriber, #24648) [Link] ...though perhaps the Australian "Ikee" worm is guilty of crimes against good taste, as it swaps out the iPhone's wallpaper for a vintage photo of Rick Astley. Poor Rick Astley gets no respect these days... ;-)
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 11:03 UTC (Thu) by NAR (subscriber, #1313) [Link] This is an interesting story. From one point of view, people played with fire and got burn - what's the problem? I mean it's like somebody modified his car, added some extra horsepower (without upgrading the breaks), then crashed in the first corner - I can't really feel sorry for them. There is a reason one can't drive anything on public roads.On the other hand - default root password in 2009? Are they nuts?
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 19:49 UTC (Thu) by dariush (subscriber, #39924) [Link]
> On the other hand - default root password in 2009? Are they nuts?
Is the root account accessible in any way on an unmodified phone for someone knowing the password? If not, then I don't see how changing the password would improve security.
Of course, going the extra mile and securing against attacks which even theoretically should be impossible (within the security design of the device) is hardly a bad idea. If only since it may help mitigate currently unfeasible attacks in the future.
But if the security design of the iPhone isn't depending the strongness of the root password, then I can understand why Apple never bothered to change it.
cheers
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 22:03 UTC (Thu) by NAR (subscriber, #1313) [Link]
I'd guess that Apple has some kind of security checklist containing stuff like "are network services listening on only the necessary interfaces?", "are passwords stored encrypted?" or "is there a patch process documented in case a security vulnerability is found?". I'd also guess that every product they ship has to be checked for this checklist. I'd also guess this checklist would contain "are there any default passwords on the system?".
If they don't have such checklist or it doesn't contain "are there any default passwords on the system?" or they don't care - that doesn't look well for their other products. I don't think it would be that complicated to not have a root password, so it wouldn't be possible to login at all as root.
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 12:50 UTC (Thu) by madhatter (subscriber, #4665) [Link]
merely in the spirit of "here's how one phone did it", the openmoko runs an sshd ,has by default no root password, and permits root logins via ssh. but the daemon only listens on the usb interface, not any ppp (GPRS) or eth (wifi) interfaces that may pop up.
so you have to run a cable to the phone to use this attack method.
What lessons can be learned from the iPhone worms? Posted Nov 14, 2009 1:12 UTC (Sat) by giraffedata (subscriber, #1954) [Link] No password (assuming you mean you can log in without a password) makes more sense than default password. No password has the benefit of making it easier for authorized users to use, at the cost of increasing the chance of an unauthorized access (it's increased because there's always the possibility that the engineers overlooked some other method of running a login program). Default password just makes it harder for the authorized person while not slowing down the hacker at all.
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 14:05 UTC (Thu) by daniels (subscriber, #16193) [Link]
At the risk of extreme nitpicking, Australia does not have 'an iPhone carrier'. It is sold by at least four telcos (Telstra, Optus, Vodafone and 3), as well as being sold directly -- unlocked -- by Apple themselves.
What lessons can be learned from the iPhone worms? Posted Nov 12, 2009 15:43 UTC (Thu) by n8willis (editor, #43041) [Link]
That's true -- I meant to say "carriers." My understanding of the worm (and the source was online briefly but I did not examine it in any depth) was that it scanned the IP address blocks of the carriers that sold iPhones in Australia. I presume for the sake of simplicity; it certainly could have scanned other carriers' ranges anyway.
Nate
|
|||||||||||||