User: Password:
|
|
Subscribe / Log in / New account

What lessons can be learned from the iPhone worms?

What lessons can be learned from the iPhone worms?

Posted Nov 12, 2009 19:49 UTC (Thu) by dariush (guest, #39924)
In reply to: What lessons can be learned from the iPhone worms? by NAR
Parent article: What lessons can be learned from the iPhone worms?

> On the other hand - default root password in 2009? Are they nuts?

Is the root account accessible in any way on an unmodified phone for someone knowing the password? If not, then I don't see how changing the password would improve security.

Of course, going the extra mile and securing against attacks which even theoretically should be impossible (within the security design of the device) is hardly a bad idea. If only since it may help mitigate currently unfeasible attacks in the future.

But if the security design of the iPhone isn't depending the strongness of the root password, then I can understand why Apple never bothered to change it.

cheers
Dariush


(Log in to post comments)

What lessons can be learned from the iPhone worms?

Posted Nov 12, 2009 22:03 UTC (Thu) by NAR (subscriber, #1313) [Link]

I'd guess that Apple has some kind of security checklist containing stuff like "are network services listening on only the necessary interfaces?", "are passwords stored encrypted?" or "is there a patch process documented in case a security vulnerability is found?". I'd also guess that every product they ship has to be checked for this checklist. I'd also guess this checklist would contain "are there any default passwords on the system?".

If they don't have such checklist or it doesn't contain "are there any default passwords on the system?" or they don't care - that doesn't look well for their other products. I don't think it would be that complicated to not have a root password, so it wouldn't be possible to login at all as root.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds