The iPhone's first worm -- a playful, wallpaper-changing prank that only affects jailbroken phones -- could be a sign of more dangerous things to come. ...
Maybe I'm the only one, but this sounds like a good thing all round to me.
- discourages hackers - check
- punishes the stupid and lazy - check
- justifies Apples stance on jail-breaking - check
- encourages Apple to put in even more security - check
This is the same Charlie Miller that compromised the Mac in 2008 Pwn 2 Own in 2 minutes.....
Then did it again in Pwn 2 Own 2009 with the same Safari exploit but this time it took him 10 seconds..........
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
Most of the analogies thrown about re: jailbreaking are not accurate. The real flaw is user ignorance, just like most security flaws.
It doesn't matter what system you're on, if you open port 22 (ssh), or any port, actually, to the world, and leave default account names and passwords in place, you're asking for trouble. This is true of Macs, Linux, Windows, iPhones, your basic consumer network routers, etc.
Several neighbor's WiFi routers are wide open with the admin/admin or whatever brand they use' default password. These people are no different to jailbreakers who turn on ssh and don't change passwords. It's ignorance of what doors they're installing and what locks are required.
It's not like hiding your front door key on a string that's attached to the lock. It's more like installing a door that wasn't there in the first place, with a simple lock that's easily picked by anyone. Don't install a door without a proper lock if you're going to be in a bad neighborhood (the Internet and open ports).
My jailbroken iPhone is secure, and stable, thank you very much. I know the risks and the rewards, the blanket condemnations of jailbreaking are little more than FUD.
Excuse me if I'm wrong, but this seems like a programmer's failure to me, not an end user one .... So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is. ...
You're wrong. This is crazy talk.
SSH is not a kids toy. If you install it on your phone, don't read the manual, and don't know what you are doing, it's 100% your fault if you don't secure it.
It's like your saying that if a kid steals the keys to an F-14 and tries to fly it, it's not his responsibility if he gets hurt. Sure it is. He was playing with a bunch of stuff he didn't understand and breaking the law in the process.
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
Well, yes and no. It took months to develop the hack, but once it's developed, and published, any script kiddie can then use the exploit in a matter of seconds.
That's the fear here for jailbreakers with port 22 open; the hacker has published the source, now more malicious folks who hadn't thought of the delivery method now only need to insert their payload.
One thing none of these articles around the net are failing to mention is that only certain networks are vulnerable.
In the US, AT&T apparently blocks incoming connections to port 22. End of story as far as this worm goes for the cellular network and AT&T users.
Those who attach to public WiFi networks are at risk, I suppose.
Bottom line, if you think you need the ssh server installed on your iPhone, change BOTH your 'root' and 'mobile' accounts' passwords and turn off the ssh server when you don't actually need it running. This really should be made more clear in the installation process.
SSH is not a kids toy. If you install it on your phone, don't read the manual, and don't know what you are doing, it's 100% your fault if you don't secure it.
It's like your saying that if a kid steals the keys to an F-14 and tries to fly it, it's not his responsibility if he gets hurt. Sure it is. He was playing with a bunch of stuff he didn't understand and breaking the law in the process.
The guy was presumably trying to involve posters in discussing details. No good.
If you don't want to jailbreak, fine. But stop spreading FUD about jailbreaking.
Saying things like "people only do it to be cool", "you sacrifice stability", "there are enough apps in the apps store" and "these locks keep us safe" is just plain not true.
There are many very useful apps for jailbroken iPhones that do not sacrifice stability at all. Simple things like calender and email information on you lock screen or a Google Voice App (why I jailbreak).
And Apple has these "locks" not to protect you, but to protect themselves. They want you locked into the App Store. Apple is out to protect it's investment.
Also, you have to actively install SSH for this exploit to work and if you have installed it, you can also shut off SSH. And when you install SSH, almost every guide I've seen tells you to change your passwords.
If you don't want to jailbreak and are happy with your phone, that is fine. I am glad you are happy. I'll never understand the vigilant anti-jailbreakers who come to message boards like this one and denigrate people who jailbreak their phones, spread mis-information, and in this case basically gloat that they get what they deserve. What do you get out of this? Is it that oh so smug feeling that you are somehow better or smarter than others? You know better? Well, nobody really wants to hear it. Unless you have something useful to add, why don't you just take your smug somewhere else?
On topic. does anyone know how you get this exploit? Do you have to click a link in an email or go to a website? The article was lacking this important detail.
What does this have to do with a jailbroken iPhone (other than it's a Charlie Miller production)?
Hacking with physical contact of the computer is data mining.
At pwn to own, the first day was to hack the Mac remotely. Not one person could do it. Nobody. No remote access, no viruses, nothing. Nobody can hack Macs remotely. To win the hacker needed local access to the machine. For his hack to work, it required somebody manually navigating to a site with malicious content.
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
Make of that what you will.
What does it have to do with Charlie Miller???
Did you miss this part??
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.
The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.
Miller also, back in 2007, discovered the iPhone's first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.
This is NOT an iPhone worm. It's a jailbreak worm.
Resist the temptation to generate page hits with sensational headlines. It works for a while and then you lose all your readers.
Credibility is hard-won but easily lost. Don't squander (any more of) it.
This is a rumor site, not a news site. If you expect credibility, you came to the wrong place. But there are many readers here that believe everything they see, then get really upset when the rumors never come true.
It is an iPhone worm because it does not affect any other handset, but only for the morons that jailbroke their phone and compromised all the security. So they get what they deserve.
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
First I would never elevate anyone to Jesus Christ.....there was only one........
Second you are correct Charlie worked on the same exploit for 2 years. He used it to win in Pwn 2 Own 2008 then in 2009 with the same exploit that went un patched from Apple.
This exploit requires the user to jailbreak their phone and install SSH through Cydia/whatever. I?d imagine most people would never install SSH. The article makes it sound like every jailbroken iPhone is vulnerable to this exploit.
It's actually that it installs sshd, and in an insecure configuration -- sshd should be configured not to allow root login at all. A pretty dumb thing to do by whoever wrote the jailbreak code.
On the other hand, ssh can be very nice to have on your iPhone, if you have servers you sometimes need to get into while you are at, say, the beach.
First I would never elevate anyone to Jesus Christ.....there was only one........
Second you are correct Charlie worked on the same exploit for 2 years. He used it to win in Pwn 2 Own 2008 then in 2009 with the same exploit that went un patched from Apple.
You're still being a bit misleading here. It's not like he walked in in 2008 and said to himself, "Oh, what if I try this? ... Voila! I'm in!" Clearly there was a significant amount of research and preparation involved, prior to demonstrating the exploit.
That it went unpatched is a justified criticism of Apple.
First I would never elevate anyone to Jesus Christ.....there was only one.........
My apologies for the Jesus Christ comment.
It's hard for me to remember that a lot of Americans are touchy about that, and that probably half the people on this forum are from the USA. It's a common enough thing to say where I live and no anti-religious offence was intended.
You're still being a bit misleading here. It's not like he walked in in 2008 and said to himself, "Oh, what if I try this? ... Voila! I'm in!" Clearly there was a significant amount of research and preparation involved, prior to demonstrating the exploit.
That it went unpatched is a justified criticism of Apple.
You are correct he did extensive work to produce the exploit.......
Comments
i know...when did ai become apple iphone hacker digest? jeez...
I second that emoticon.
Resist the temptation to generate page hits with sensational headlines. It works for a while and then you lose all your readers.
Credibility is hard-won but easily lost. Don't squander (any more of) it.
The iPhone's first worm -- a playful, wallpaper-changing prank that only affects jailbroken phones -- could be a sign of more dangerous things to come. ...
Maybe I'm the only one, but this sounds like a good thing all round to me.
- discourages hackers - check
- punishes the stupid and lazy - check
- justifies Apples stance on jail-breaking - check
- encourages Apple to put in even more security - check
What's not to love about this?
This is the same Charlie Miller that compromised the Mac in 2008 Pwn 2 Own in 2 minutes.....
Then did it again in Pwn 2 Own 2009 with the same Safari exploit but this time it took him 10 seconds..........
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
iPhone isn't open so maybe iDont is? Maybe??
It doesn't matter what system you're on, if you open port 22 (ssh), or any port, actually, to the world, and leave default account names and passwords in place, you're asking for trouble. This is true of Macs, Linux, Windows, iPhones, your basic consumer network routers, etc.
Several neighbor's WiFi routers are wide open with the admin/admin or whatever brand they use' default password. These people are no different to jailbreakers who turn on ssh and don't change passwords. It's ignorance of what doors they're installing and what locks are required.
It's not like hiding your front door key on a string that's attached to the lock. It's more like installing a door that wasn't there in the first place, with a simple lock that's easily picked by anyone. Don't install a door without a proper lock if you're going to be in a bad neighborhood (the Internet and open ports).
My jailbroken iPhone is secure, and stable, thank you very much. I know the risks and the rewards, the blanket condemnations of jailbreaking are little more than FUD.
Excuse me if I'm wrong, but this seems like a programmer's failure to me, not an end user one .... So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is. ...
You're wrong. This is crazy talk.
SSH is not a kids toy. If you install it on your phone, don't read the manual, and don't know what you are doing, it's 100% your fault if you don't secure it.
It's like your saying that if a kid steals the keys to an F-14 and tries to fly it, it's not his responsibility if he gets hurt. Sure it is. He was playing with a bunch of stuff he didn't understand and breaking the law in the process.
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
Well, yes and no. It took months to develop the hack, but once it's developed, and published, any script kiddie can then use the exploit in a matter of seconds.
That's the fear here for jailbreakers with port 22 open; the hacker has published the source, now more malicious folks who hadn't thought of the delivery method now only need to insert their payload.
In the US, AT&T apparently blocks incoming connections to port 22. End of story as far as this worm goes for the cellular network and AT&T users.
Those who attach to public WiFi networks are at risk, I suppose.
Bottom line, if you think you need the ssh server installed on your iPhone, change BOTH your 'root' and 'mobile' accounts' passwords and turn off the ssh server when you don't actually need it running. This really should be made more clear in the installation process.
You're wrong. This is crazy talk.
SSH is not a kids toy. If you install it on your phone, don't read the manual, and don't know what you are doing, it's 100% your fault if you don't secure it.
It's like your saying that if a kid steals the keys to an F-14 and tries to fly it, it's not his responsibility if he gets hurt. Sure it is. He was playing with a bunch of stuff he didn't understand and breaking the law in the process.
The guy was presumably trying to involve posters in discussing details. No good.
Saying things like "people only do it to be cool", "you sacrifice stability", "there are enough apps in the apps store" and "these locks keep us safe" is just plain not true.
There are many very useful apps for jailbroken iPhones that do not sacrifice stability at all. Simple things like calender and email information on you lock screen or a Google Voice App (why I jailbreak).
And Apple has these "locks" not to protect you, but to protect themselves. They want you locked into the App Store. Apple is out to protect it's investment.
Also, you have to actively install SSH for this exploit to work and if you have installed it, you can also shut off SSH. And when you install SSH, almost every guide I've seen tells you to change your passwords.
If you don't want to jailbreak and are happy with your phone, that is fine. I am glad you are happy. I'll never understand the vigilant anti-jailbreakers who come to message boards like this one and denigrate people who jailbreak their phones, spread mis-information, and in this case basically gloat that they get what they deserve. What do you get out of this? Is it that oh so smug feeling that you are somehow better or smarter than others? You know better? Well, nobody really wants to hear it. Unless you have something useful to add, why don't you just take your smug somewhere else?
On topic. does anyone know how you get this exploit? Do you have to click a link in an email or go to a website? The article was lacking this important detail.
What does this have to do with a jailbroken iPhone (other than it's a Charlie Miller production)?
Hacking with physical contact of the computer is data mining.
At pwn to own, the first day was to hack the Mac remotely. Not one person could do it. Nobody. No remote access, no viruses, nothing. Nobody can hack Macs remotely. To win the hacker needed local access to the machine. For his hack to work, it required somebody manually navigating to a site with malicious content.
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
Make of that what you will.
What does it have to do with Charlie Miller???
Did you miss this part??
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.
The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.
Miller also, back in 2007, discovered the iPhone's first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >
This is NOT an iPhone worm. It's a jailbreak worm.
Resist the temptation to generate page hits with sensational headlines. It works for a while and then you lose all your readers.
Credibility is hard-won but easily lost. Don't squander (any more of) it.
This is a rumor site, not a news site. If you expect credibility, you came to the wrong place. But there are many readers here that believe everything they see, then get really upset when the rumors never come true.
It is an iPhone worm because it does not affect any other handset, but only for the morons that jailbroke their phone and compromised all the security. So they get what they deserve.
Before you elevate Charlie Miller to the status of Jesus Christ, it's worth mentioning that he spent months and weeks on those hacks *before* the contest. The amount of time it took him on the day of the conference is essentially irrelevant.
First I would never elevate anyone to Jesus Christ.....there was only one........
Second you are correct Charlie worked on the same exploit for 2 years. He used it to win in Pwn 2 Own 2008 then in 2009 with the same exploit that went un patched from Apple.
Misleading.
This exploit requires the user to jailbreak their phone and install SSH through Cydia/whatever. I?d imagine most people would never install SSH. The article makes it sound like every jailbroken iPhone is vulnerable to this exploit.
It's actually that it installs sshd, and in an insecure configuration -- sshd should be configured not to allow root login at all. A pretty dumb thing to do by whoever wrote the jailbreak code.
On the other hand, ssh can be very nice to have on your iPhone, if you have servers you sometimes need to get into while you are at, say, the beach.
First I would never elevate anyone to Jesus Christ.....there was only one........
Second you are correct Charlie worked on the same exploit for 2 years. He used it to win in Pwn 2 Own 2008 then in 2009 with the same exploit that went un patched from Apple.
You're still being a bit misleading here. It's not like he walked in in 2008 and said to himself, "Oh, what if I try this? ... Voila! I'm in!" Clearly there was a significant amount of research and preparation involved, prior to demonstrating the exploit.
That it went unpatched is a justified criticism of Apple.
Damn you. Now it's 26,251,291 views. LOL
Make that 26,251,292... Dang. See how easy this social engineering is?
First I would never elevate anyone to Jesus Christ.....there was only one.........
My apologies for the Jesus Christ comment.
It's hard for me to remember that a lot of Americans are touchy about that, and that probably half the people on this forum are from the USA. It's a common enough thing to say where I live and no anti-religious offence was intended.
You're still being a bit misleading here. It's not like he walked in in 2008 and said to himself, "Oh, what if I try this? ... Voila! I'm in!" Clearly there was a significant amount of research and preparation involved, prior to demonstrating the exploit.
That it went unpatched is a justified criticism of Apple.
You are correct he did extensive work to produce the exploit.......
Make that 26,251,292... Dang. See how easy this social engineering is?
I know, just look at how many people have installed Google Desktop.