

Jailbroken iPhones compromised, $5 ransom demanded - vegasbrianc
http://blogs.zdnet.com/security/?p=4805&tag=nl.e539

======
Sidnicious
Two things caused this vulnerability:

1\. Every iPhone has the same root password by default. Apple never intended
for anyone to SSH into their device or see a shell at all.

2\. Many users install sshd on their jailbroken iPhones without knowing or
caring about the implications, and leave it installed and running.

There are a few possible solutions to this problem:

The maintainer of the sshd package should prompt to change the mobile user's
password at install time, disable root SSH access, and install sudo. It would
also be a good thing to only allow SSH over WiFi (by default).

Maybe a status bar icon to indicate when SSH is enabled should be installed by
default, and SSH could not run at startup but require that the user activate
it per-boot.

(Actually, BigBoss, the developer of the popular dashboard application
SBSettings, REMOVED the option to permanently disable SSH access, arguing that
SSH is often the only way to fix up an iPhone that won't boot into the GUI and
that it should start unless the user disables it for that boot. I disagree
with this decision and think that, at the very least, sshd should shut down
after the device boots successfully.)

The root problem here is that the developer of sshd for the iPhone probably
released it to be used as a debugging tool by other developers and hackers. No
one has the authority to step in and say "wait, this isn't safe for the
general population."

------
falsestprophet
This is another lesson in the importance of using an unscrupulous credit card
processor for unscrupulous business.

------
zacharypinter
Anybody else notice he was using mailinator for his paypal address? Unless he
has some sort of script that polls mailinator and automatically removes
messages instantly, he was likely vulnerable to having his paypal account
stolen.

------
dschobel
_the SSH daemon which unless modified remains running with default users root
and mobile, using the same password on each and every device._

I'm not sure I'd want to be known as the elite security expert who exploited
this subtle vulnerability.

~~~
teamonkey
From someone who only unlocked his iphone to use another network, can somebody
explain the steps needed to change the default ssh passwords?

~~~
jrnkntl
The article even linked to it: <http://mr09.fileave.com/>

~~~
teamonkey
Yeah, but I really didn't want to click a link to a known scammer site. I was
hoping the instructions could be posted somewhere clean and safe.

------
brisance
People who have no technical understanding of jailbreaking should not be doing
it.

The Age of The Amateur is upon us and there's no escaping it. From people
looking up diagnoses of their ailments to a armchair mechanics who think they
know better than a technician with 30 years in the trade, all because they
"read it on the internet".

------
Locke1689
I don't know Dutch law, but this SK might be getting a lesson about playing
with the bull....

