It doesn't matter what system you're on, if you open port 22 (ssh), or any port, actually, to the world, and leave default account names and passwords in place, you're asking for trouble. This is true of Macs, Linux, Windows, iPhones, your basic consumer network routers, etc.
...
My jailbroken iPhone is secure, and stable, thank you very much. I know the risks and the rewards, the blanket condemnations of jailbreaking are little more than FUD.
Unless your SSH installation requires RSA key authentication to login (i.e. not just a username and password) then your iPhone is still more than likely open to a number of known attacks that can be performed on an SSH server remotely, both brute force and DoS style.
This is most definitely the #1 reason not jailbreak the iPhone.
Followed closely by "stability issues".
Both of these methods have targeted people who failed to change their root password. If you jailbreak, change your root password, and are responsible with what software you install, the odds of encountering something like this are extremely slim. There are other risks, but I'll be surprised if they manifest to the jailbreak community with any sort of force.
Both of these methods have targeted people who failed to change their root password. If you jailbreak, change your root password, and are responsible with what software you install, the odds of encountering something like this are extremely slim. There are other risks, but I'll be surprised if they manifest to the jailbreak community with any sort of force.
Stability issues have nothing to do with your choice of password.
And from my experience, running any single background process that wasn't intended to be run by Apple has a seriously detrimental effect on performance. What do you expect with only ~40MB of available RAM once the system has loaded on the 2G/3G iPhone.
Stability issues have nothing to do with your choice of password.
And from my experience, running any single background process that wasn't intended to be run by Apple has a seriously detrimental effect on performance. What do you expect with only ~40MB of available RAM once the system has loaded on the 2G/3G iPhone.
I was addressing the exploit itself.
That said, I have jailbroken numerous devices and I have not experienced any stability issues as a result. On the other hand, I have jailbroken iPhones for other people, and some of them have made their phones extremely unstable by taking an anything-goes approach to what they modify and install. It is a matter of making responsible choices. Should a person choose to use Backgrounder on one of the low-RAM devices they also need to keep this in mind as they decide what should or should not be running in the background. Obviously this is a much lesser concern on a 3GS. I think the main problem here is that there are people who lack some basic understanding of how the iPhone works who are also jailbreaking it and making poor performance choices after doing so.
As designed by Apple, the iPhone OS ensures that the iPhone and iPod touch operate reliably. Some customers have not understood the risks of installing software that makes unauthorized modifications to the iPhone OS ("jailbreaking") on their iPhone or iPod touch. Customers who have installed software that makes these modifications have encountered numerous problems in the operation of their hacked iPhone or iPod touch. Examples of issues caused by these unauthorized modifications to the iPhone OS have included the following:
Device and application instability: Frequent and unexpected crashes of the device, crashes and freezes of built-in apps and third-party apps, and loss of data.
Unreliable voice and data: Dropped calls, slow or unreliable data connections, and delayed or inaccurate location data.
Disruption of services: Services such as Visual Voicemail, YouTube, Weather, and Stocks have been disrupted or no longer work on the device. Additionally, third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications or received notifications that were intended for a different hacked device. Other push-based services such as MobileMe and Exchange have experienced problems synchronizing data with their respective servers.
Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses.
Shortened battery life: The hacked software has caused an accelerated battery drain that shortens the operation of an iPhone or iPod touch on a single battery charge.
Inability to apply future software updates: Some unauthorized modifications have caused damage to the iPhone OS that is not repairable. This can result in the hacked iPhone or iPod touch becoming permanently inoperable when a future Apple-supplied iPhone OS update is installed.
Apple strongly cautions against installing any software that hacks the iPhone OS. It is also important to note that unauthorized modification of the iPhone OS is a violation of the iPhone end-user license agreement and because of this, Apple may deny service for an iPhone or iPod touch that has installed any unauthorized software.
------------------------------
Same can be said for hacking any piece of tech. If you want to "customize" beyond what manufacturer's guidelines (and implemented barriers) allow, then you take your chances. Doesn't mean there is absolutely no problem with what you are doing just because you happen to know how to do it. You're playing outside operating guidelines and hacking your device. It's pretty simple.
I've little sympathy for pepole who have jailbroken their iPhones having problems like this.
However, the fact that this is a story at all (it's made most of the major news outlets) is an interesting demonstration of the success Apple are having. They are becoming the target worth aiming for because of the size of their installed base, much like M$ are for desktop systems. It's going to be interesting to find out if OSX really is more secure, as Apple have always claimed, or if it was relative obscurity that kept Mac users safe, as M$ fans claim.
Unless your SSH installation requires RSA key authentication to login (i.e. not just a username and password) then your iPhone is still more than likely open to a number of known attacks that can be performed on an SSH server remotely, both brute force and DoS style.
It's not just strong passwords that save you.
Which is why I said:
Quote:
...and turn off the ssh server when you don't actually need it running.
Thus limiting your exposure to any of the attack methods.
This is most definitely the #1 reason not jailbreak the iPhone.
Followed closely by "stability issues".
None of that is true. Stability issues can happen from installing unauthorized apps after you jailbreak, but jailbreaking alone doesn?t make your device less stable or less secure.
Quote:
Originally Posted by SS3 GokouX
Misleading.
This exploit requires the user to jailbreak their phone and install SSH through Cydia/whatever. I?d imagine most people would never install SSH. The article makes it sound like every jailbroken iPhone is vulnerable to this exploit.
I bolded to make sure this point is not missed.
Quote:
Originally Posted by foljs
Excuse me if I'm wrong, but this seems like a programmer's failure to me, not an end user one.
Most of the jailbreaking is done with programs that run on your Mac or PC and automate the process. The end user can be completely clueless about what happens under the surface.
So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is.
Another thing that software can automate and programmers forgot to take advantage of.
Ultimately it?s the user?s fault, but the ease in which one can jailbreak, unlock and install other packages I can see why someone would click the SSH install and not think twice about it. I would imagine that OpenSSH will likely do something that has a GUi to optionally change the password when you turn it on.
People need to keep it turned off by default, too. Even if locked out, seeing the port at all is a potential security risk.
On the other hand, ssh can be very nice to have on your iPhone, if you have servers you sometimes need to get into while you are at, say, the beach.
You do not need to jailbreak to get and use an SSH client - there are plenty of SSH clients in the official Apple AppStore.
Installing an SSH Server (sshd) on your phone is primarily so you can then connect and login as root over a wifi connection - hence why it doesn't lock out root by default.
If you Jailbreak you need to change your SSH password.
Congratulations Jailbreakers, if this hits the mainstream media your hobby could cost Apple millions, especially as they are just breaking into enterprise markets.
Lets hope they lock it down harder next time to stop you clowns pulling stunts like this.
The Jailbreakers f%@^ed up, if they are going to open SSH access to people's iPhone's the least they could have done is IMPOSED A BETTER SECURITY POLICY on jailbroken iPhone users, not some half-assed default user and default password (alpine) which doesn't require changing on first use.
This problem is only with unknowledgeable jailbreakers, not with jailbreakers at large or the iPhone. There is even an App Store developer in trouble for snagging contacts, but Apple’s model is setup to deal with such eventualities. The Android NDK and Marketplace are innately much less secure. If the platform becomes successful, which I think it will, I think we’ll see trojan horse apps, worms and viruses explode on Android. I hope I’m wrong.
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
That's funny. I assume you also have a Mac, which runs an OS quite similar to iPhone, but the edition on Mac comes jail-broken from the manufacturer (the same Apple that spreads the FUD about jailbreaking iPhone).
I am sure the control freak SJ would love to get all applications on Mac OS X to be distributable only through iTunes AppStore, if there is no such annoyance as 95% market dominance of the company considered to be "evil empire".
Perhaps you would be better off leaving the "control freak" environment of the iPhone and take up one of Google's offerings, I'm sure the companies that pay them for advertising are itching to get their hands on information about everything web-based you do and everyone you know who is in your contacts.
Quote:
Originally Posted by Brainless
That's funny. I assume you also have a Mac, which runs an OS quite similar to iPhone, but the edition on Mac comes jail-broken from the manufacturer (the same Apple that spreads the FUD about jailbreaking iPhone).
I am sure the control freak SJ would love to get all applications on Mac OS X to be distributable only through iTunes AppStore, if there is no such annoyance as 95% market dominance of the company considered to be "evil empire".
None of that is true. Stability issues can happen from installing unauthorized apps after you jailbreak, but jailbreaking alone doesn?t make your device less stable or less secure.
Very clever, but it's just semantics at the end of the day.
Quote:
Ultimately it?s the user?s fault, but the ease in which one can jailbreak, unlock and install other packages I can see why someone would click the SSH install and not think twice about it. I would imagine that OpenSSH will likely do something that has a GUi to optionally change the password when you turn it on.
People need to keep it turned off by default, too. Even if locked out, seeing the port at all is a potential security risk.
Yes, but to be fair, SSH as a server has no place on a mobile phone.
If you Jailbreak you need to change your SSH password.
Congratulations Jailbreakers, if this hits the mainstream media your hobby could cost Apple millions, especially as they are just breaking into enterprise markets.
Lets hope they lock it down harder next time to stop you clowns pulling stunts like this.
The Jailbreakers f%@^ed up, if they are going to open SSH access to people's iPhone's the least they could have done is IMPOSED A BETTER SECURITY POLICY on jailbroken iPhone users, not some half-assed default user and default password (alpine) which doesn't require changing on first use.
You don't seem to understand much about Jailbreaking or who this effects. A normal iPhone doesn't have SSH access, neither does a Jailbroken one until the person who owns the phone themselves downloads an app to enable SSH, and then they enable it. At that time the username and password are root and alpine.
What this thing does, is it searches for a phone that has SSH enabled, and accesses the files. It can only do this if
1. The person jailbroke.
2. The person enabled SSH.
3. Thy person never changed the password for SSH nor did they turn it off when not in use.
Unless you jailbreak, there is no way this can hurt your phone or affect you.
For the record, I've been Jailbreaking my iPhone and iPod Touch since 1.2, and never once have I used it to pirate an App. I don't even use dTunes anymore since we were allowed to DL music from iTunes over 3G. Jailbreaking is much less relevant now since 3.0 came out, but in the 1.x and 2.x days it allowed me to do tons of things regular stock iPhones could not. Right now I use it for themes and SB settings mainly, although there are several other things I like to do with it such as haptic feedback and new SMS chirps.
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
in some ways I put this on the same list as the folks that got the trojan from torrenting iwork.
This problem is only with unknowledgeable jailbreakers, not with jailbreakers at large or the iPhone. ...
Isn't this the same as the old (deeply flawed), argument about it's not the guns it's the criminals *using* the guns?
The fact is that jail-breaking exists, and it's for the most part a one click operation that is promoted and encouraged by tech sites like this one (and many others).
Sure you can say that a responsible, knowledgeable, person who decides to jail-break their phone is not going to be a problem, but the reality is that the broad availability of the jail breaking process virtually guarantees a whole lot of idiots running around with jail-broken phones and using them for nefarious and stupid purposes.
Responsible owners of AK-47's and glocks are not a problem either, but the fact that any punk can buy one almost anywhere in the US and that there are multiple millions in circulation virtually guarantees a lot of death and destruction.
There's freedom, and there's irresponsible idiocy. Rational people usually go for something between the two.
Isn't this the same as the old (deeply flawed), argument about it's not the guns it's the criminals *using* the guns?
Not at all, because very specific things have to happen. First, they have to jailbreak their iPhone or Touch, but that alone will not allow this worm to enter your phone. Second, they have had to installed and turned on OpenSSH, which is not installed by default. Only when those two things are done without the user being wise enough to then change the root password will this ?backdoor" be unlocked.
Comments
It doesn't matter what system you're on, if you open port 22 (ssh), or any port, actually, to the world, and leave default account names and passwords in place, you're asking for trouble. This is true of Macs, Linux, Windows, iPhones, your basic consumer network routers, etc.
...
My jailbroken iPhone is secure, and stable, thank you very much. I know the risks and the rewards, the blanket condemnations of jailbreaking are little more than FUD.
Unless your SSH installation requires RSA key authentication to login (i.e. not just a username and password) then your iPhone is still more than likely open to a number of known attacks that can be performed on an SSH server remotely, both brute force and DoS style.
It's not just strong passwords that save you.
This is most definitely the #1 reason not jailbreak the iPhone.
Followed closely by "stability issues".
Both of these methods have targeted people who failed to change their root password. If you jailbreak, change your root password, and are responsible with what software you install, the odds of encountering something like this are extremely slim. There are other risks, but I'll be surprised if they manifest to the jailbreak community with any sort of force.
Both of these methods have targeted people who failed to change their root password. If you jailbreak, change your root password, and are responsible with what software you install, the odds of encountering something like this are extremely slim. There are other risks, but I'll be surprised if they manifest to the jailbreak community with any sort of force.
Stability issues have nothing to do with your choice of password.
And from my experience, running any single background process that wasn't intended to be run by Apple has a seriously detrimental effect on performance. What do you expect with only ~40MB of available RAM once the system has loaded on the 2G/3G iPhone.
Stability issues have nothing to do with your choice of password.
And from my experience, running any single background process that wasn't intended to be run by Apple has a seriously detrimental effect on performance. What do you expect with only ~40MB of available RAM once the system has loaded on the 2G/3G iPhone.
I was addressing the exploit itself.
That said, I have jailbroken numerous devices and I have not experienced any stability issues as a result. On the other hand, I have jailbroken iPhones for other people, and some of them have made their phones extremely unstable by taking an anything-goes approach to what they modify and install. It is a matter of making responsible choices. Should a person choose to use Backgrounder on one of the low-RAM devices they also need to keep this in mind as they decide what should or should not be running in the background. Obviously this is a much lesser concern on a 3GS. I think the main problem here is that there are people who lack some basic understanding of how the iPhone works who are also jailbreaking it and making poor performance choices after doing so.
---------------------------------------
http://support.apple.com/kb/HT3743
As designed by Apple, the iPhone OS ensures that the iPhone and iPod touch operate reliably. Some customers have not understood the risks of installing software that makes unauthorized modifications to the iPhone OS ("jailbreaking") on their iPhone or iPod touch. Customers who have installed software that makes these modifications have encountered numerous problems in the operation of their hacked iPhone or iPod touch. Examples of issues caused by these unauthorized modifications to the iPhone OS have included the following:
Device and application instability: Frequent and unexpected crashes of the device, crashes and freezes of built-in apps and third-party apps, and loss of data.
Unreliable voice and data: Dropped calls, slow or unreliable data connections, and delayed or inaccurate location data.
Disruption of services: Services such as Visual Voicemail, YouTube, Weather, and Stocks have been disrupted or no longer work on the device. Additionally, third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications or received notifications that were intended for a different hacked device. Other push-based services such as MobileMe and Exchange have experienced problems synchronizing data with their respective servers.
Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses.
Shortened battery life: The hacked software has caused an accelerated battery drain that shortens the operation of an iPhone or iPod touch on a single battery charge.
Inability to apply future software updates: Some unauthorized modifications have caused damage to the iPhone OS that is not repairable. This can result in the hacked iPhone or iPod touch becoming permanently inoperable when a future Apple-supplied iPhone OS update is installed.
Apple strongly cautions against installing any software that hacks the iPhone OS. It is also important to note that unauthorized modification of the iPhone OS is a violation of the iPhone end-user license agreement and because of this, Apple may deny service for an iPhone or iPod touch that has installed any unauthorized software.
------------------------------
Same can be said for hacking any piece of tech. If you want to "customize" beyond what manufacturer's guidelines (and implemented barriers) allow, then you take your chances. Doesn't mean there is absolutely no problem with what you are doing just because you happen to know how to do it. You're playing outside operating guidelines and hacking your device. It's pretty simple.
However, the fact that this is a story at all (it's made most of the major news outlets) is an interesting demonstration of the success Apple are having. They are becoming the target worth aiming for because of the size of their installed base, much like M$ are for desktop systems. It's going to be interesting to find out if OSX really is more secure, as Apple have always claimed, or if it was relative obscurity that kept Mac users safe, as M$ fans claim.
Personally, I suspect Apple will be OK.
Unless your SSH installation requires RSA key authentication to login (i.e. not just a username and password) then your iPhone is still more than likely open to a number of known attacks that can be performed on an SSH server remotely, both brute force and DoS style.
It's not just strong passwords that save you.
Which is why I said:
...and turn off the ssh server when you don't actually need it running.
Thus limiting your exposure to any of the attack methods.
This is most definitely the #1 reason not jailbreak the iPhone.
Followed closely by "stability issues".
None of that is true. Stability issues can happen from installing unauthorized apps after you jailbreak, but jailbreaking alone doesn?t make your device less stable or less secure.
Misleading.
This exploit requires the user to jailbreak their phone and install SSH through Cydia/whatever. I?d imagine most people would never install SSH. The article makes it sound like every jailbroken iPhone is vulnerable to this exploit.
I bolded to make sure this point is not missed.
Excuse me if I'm wrong, but this seems like a programmer's failure to me, not an end user one.
Most of the jailbreaking is done with programs that run on your Mac or PC and automate the process. The end user can be completely clueless about what happens under the surface.
So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is.
Another thing that software can automate and programmers forgot to take advantage of.
Ultimately it?s the user?s fault, but the ease in which one can jailbreak, unlock and install other packages I can see why someone would click the SSH install and not think twice about it. I would imagine that OpenSSH will likely do something that has a GUi to optionally change the password when you turn it on.
People need to keep it turned off by default, too. Even if locked out, seeing the port at all is a potential security risk.
On the other hand, ssh can be very nice to have on your iPhone, if you have servers you sometimes need to get into while you are at, say, the beach.
You do not need to jailbreak to get and use an SSH client - there are plenty of SSH clients in the official Apple AppStore.
Installing an SSH Server (sshd) on your phone is primarily so you can then connect and login as root over a wifi connection - hence why it doesn't lock out root by default.
Watch out you don't get Rick Roll'd.
http://www.theiphoneblog.com/2009/11...word-rickroll/
If you Jailbreak you need to change your SSH password.
Congratulations Jailbreakers, if this hits the mainstream media your hobby could cost Apple millions, especially as they are just breaking into enterprise markets.
Lets hope they lock it down harder next time to stop you clowns pulling stunts like this.
The Jailbreakers f%@^ed up, if they are going to open SSH access to people's iPhone's the least they could have done is IMPOSED A BETTER SECURITY POLICY on jailbroken iPhone users, not some half-assed default user and default password (alpine) which doesn't require changing on first use.
But an OS should be designed to be secure, a side-effect of which is that no-one would be able to jailbreak their phone.
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
That's funny. I assume you also have a Mac, which runs an OS quite similar to iPhone, but the edition on Mac comes jail-broken from the manufacturer (the same Apple that spreads the FUD about jailbreaking iPhone).
I am sure the control freak SJ would love to get all applications on Mac OS X to be distributable only through iTunes AppStore, if there is no such annoyance as 95% market dominance of the company considered to be "evil empire".
That's funny. I assume you also have a Mac, which runs an OS quite similar to iPhone, but the edition on Mac comes jail-broken from the manufacturer (the same Apple that spreads the FUD about jailbreaking iPhone).
I am sure the control freak SJ would love to get all applications on Mac OS X to be distributable only through iTunes AppStore, if there is no such annoyance as 95% market dominance of the company considered to be "evil empire".
None of that is true. Stability issues can happen from installing unauthorized apps after you jailbreak, but jailbreaking alone doesn?t make your device less stable or less secure.
Very clever, but it's just semantics at the end of the day.
Ultimately it?s the user?s fault, but the ease in which one can jailbreak, unlock and install other packages I can see why someone would click the SSH install and not think twice about it. I would imagine that OpenSSH will likely do something that has a GUi to optionally change the password when you turn it on.
People need to keep it turned off by default, too. Even if locked out, seeing the port at all is a potential security risk.
Yes, but to be fair, SSH as a server has no place on a mobile phone.
Jailbreaking enables security flaws and pirates!
Watch out you don't get Rick Roll'd.
http://www.theiphoneblog.com/2009/11...word-rickroll/
If you Jailbreak you need to change your SSH password.
Congratulations Jailbreakers, if this hits the mainstream media your hobby could cost Apple millions, especially as they are just breaking into enterprise markets.
Lets hope they lock it down harder next time to stop you clowns pulling stunts like this.
The Jailbreakers f%@^ed up, if they are going to open SSH access to people's iPhone's the least they could have done is IMPOSED A BETTER SECURITY POLICY on jailbroken iPhone users, not some half-assed default user and default password (alpine) which doesn't require changing on first use.
You don't seem to understand much about Jailbreaking or who this effects. A normal iPhone doesn't have SSH access, neither does a Jailbroken one until the person who owns the phone themselves downloads an app to enable SSH, and then they enable it. At that time the username and password are root and alpine.
What this thing does, is it searches for a phone that has SSH enabled, and accesses the files. It can only do this if
1. The person jailbroke.
2. The person enabled SSH.
3. Thy person never changed the password for SSH nor did they turn it off when not in use.
Unless you jailbreak, there is no way this can hurt your phone or affect you.
For the record, I've been Jailbreaking my iPhone and iPod Touch since 1.2, and never once have I used it to pirate an App. I don't even use dTunes anymore since we were allowed to DL music from iTunes over 3G. Jailbreaking is much less relevant now since 3.0 came out, but in the 1.x and 2.x days it allowed me to do tons of things regular stock iPhones could not. Right now I use it for themes and SB settings mainly, although there are several other things I like to do with it such as haptic feedback and new SMS chirps.
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
in some ways I put this on the same list as the folks that got the trojan from torrenting iwork.
This problem is only with unknowledgeable jailbreakers, not with jailbreakers at large or the iPhone. ...
Isn't this the same as the old (deeply flawed), argument about it's not the guns it's the criminals *using* the guns?
The fact is that jail-breaking exists, and it's for the most part a one click operation that is promoted and encouraged by tech sites like this one (and many others).
Sure you can say that a responsible, knowledgeable, person who decides to jail-break their phone is not going to be a problem, but the reality is that the broad availability of the jail breaking process virtually guarantees a whole lot of idiots running around with jail-broken phones and using them for nefarious and stupid purposes.
Responsible owners of AK-47's and glocks are not a problem either, but the fact that any punk can buy one almost anywhere in the US and that there are multiple millions in circulation virtually guarantees a lot of death and destruction.
There's freedom, and there's irresponsible idiocy. Rational people usually go for something between the two.
Isn't this the same as the old (deeply flawed), argument about it's not the guns it's the criminals *using* the guns?
Not at all, because very specific things have to happen. First, they have to jailbreak their iPhone or Touch, but that alone will not allow this worm to enter your phone. Second, they have had to installed and turned on OpenSSH, which is not installed by default. Only when those two things are done without the user being wise enough to then change the root password will this ?backdoor" be unlocked.