First-known iPhone worm 'Rickrolls' jailbroken Apple handsets
The iPhone's first worm -- a playful, wallpaper-changing prank that only affects jailbroken phones -- could be a sign of more dangerous things to come.
A hacker who identifies himself as "ikex" created the worm, which changes the user's wallpaper to a picture of 1980s pop star Rick Astley, who sang the 1987 hit "Never Gonna Give You Up." The software includes the message: "ikee is never gonna give you up."
The term jailbreaking refers to a hack that allows users to run software not approved by Apple on the iPhone. It can grant users the ability to install custom wallpapers and themes, enable tethering, or unlock the handset for use on a non-approved carrier.
The ikex worm is simply a prank known as "Rickrolling," an Internet bait-and-switch meme when users expect to see a video on a certain topic, only to find themselves watching Astley's cheesy 1987 music video. According to Forbes, the worm does nothing malicious.
"The world's first iPhone worm is also hardly a true criminal exploit," the report said. "Instead, it seems to be half warning, half prank. Ikee's author, who identifies himself or herself as 'ikex' in the worm's source code, also wrote in the code that "People are stupid, and this is to prove it so," adding that users should read their phones' manuals."
For now, the worm is said to be spreading among jailbroken iPhones in Australia. It affects only users who did not change their default SSH password, which allows file transfers between phones.
"It's not that hard, guys," ikex wrote in the source code. "But hey who cares its only your bank details at stake."
Mikko Hyppönen, researcher with F-Secure, discussed the worm on his company's Web site. It lets users know how to change their root password, and also warns that the software could become more dangerous.
"The creator of the worm has released full source code of the four existing variants of this worm," he said. "This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed."
This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.
The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.
Miller also, back in 2007, discovered the iPhone's first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.
A hacker who identifies himself as "ikex" created the worm, which changes the user's wallpaper to a picture of 1980s pop star Rick Astley, who sang the 1987 hit "Never Gonna Give You Up." The software includes the message: "ikee is never gonna give you up."
The term jailbreaking refers to a hack that allows users to run software not approved by Apple on the iPhone. It can grant users the ability to install custom wallpapers and themes, enable tethering, or unlock the handset for use on a non-approved carrier.
The ikex worm is simply a prank known as "Rickrolling," an Internet bait-and-switch meme when users expect to see a video on a certain topic, only to find themselves watching Astley's cheesy 1987 music video. According to Forbes, the worm does nothing malicious.
"The world's first iPhone worm is also hardly a true criminal exploit," the report said. "Instead, it seems to be half warning, half prank. Ikee's author, who identifies himself or herself as 'ikex' in the worm's source code, also wrote in the code that "People are stupid, and this is to prove it so," adding that users should read their phones' manuals."
For now, the worm is said to be spreading among jailbroken iPhones in Australia. It affects only users who did not change their default SSH password, which allows file transfers between phones.
"It's not that hard, guys," ikex wrote in the source code. "But hey who cares its only your bank details at stake."
Mikko Hyppönen, researcher with F-Secure, discussed the worm on his company's Web site. It lets users know how to change their root password, and also warns that the software could become more dangerous.
"The creator of the worm has released full source code of the four existing variants of this worm," he said. "This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed."
This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.
The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.
Miller also, back in 2007, discovered the iPhone's first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.
Comments
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
i know...when did ai become apple iphone hacker digest? jeez...
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
This is most definitely the #1 reason not jailbreak the iPhone.
Followed closely by "stability issues".
i know...when did ai become apple iphone hacker digest? jeez...
Definitely, and they even forgot to post the video!
jailbreaking = making your own iPhone vulnerable, deliberately. It's self-hacking.
So where's the risk to the average user?
How is it really news that people who hack their iPhones (against Apple's recommendations) are getting into trouble because of it? Pehaps it's useful to warn them of the obvious . . .
Quadra, I agree with you, but I'd say that there is a large portion of the jailbreaking community who don't understand the nature of Jailbreaking. They see it as "unlocking what is rightfully theirs" and don't understand that to do so, you have to break many of the locks that Apple has put in there for good reason.
I have many friends who ask me about jailbreaking and describe it as the best thing ever. I, as a developer, explain why the locks are there, and then it dawns on them that their phone is also perhaps the most invasive device they have, can compromise your security, and could become just as vulnerable to viruses as Windows if the locks didn't exist.
There seems to be a good portion of current users who like to unlock their devices because its "cool" and "puts you in control" but fail to grasp what those hacks also allow in.
The iPhone's first worm -- a playful, wallpaper-changing prank that only affects jailbroken phones -- could be a sign of more dangerous things to come.
A hacker who identifies himself as "ikex" created the worm, which changes the user's wallpaper to a picture of 1980s pop star Rick Astley, who sang the 1987 hit "Never Gonna Give You Up." The software includes the message: "ikee is never gonna give you up."
The term jailbreaking refers to a hack that allows users to run software not approved by Apple on the iPhone. It can grant users the ability to install custom wallpapers and themes, enable tethering, or unlock the handset for use on a non-approved carrier.
The ikex worm is simply a prank known as "Rickrolling," an Internet bait-and-switch meme when users expect to see a video on a certain topic, only to find themselves watching Astley's cheesy 1987 music video. According to Forbes, the worm does nothing malicious.
"The world's first iPhone worm is also hardly a true criminal exploit," the report said. "Instead, it seems to be half warning, half prank. Ikee's author, who identifies himself or herself as 'ikex' in the worm's source code, also wrote in the code that "People are stupid, and this is to prove it so," adding that users should read their phones' manuals."
For now, the worm is said to be spreading among jailbroken iPhones in Australia. It affects only users who did not change their default SSH password, which allows file transfers between phones.
"It's not that hard, guys," ikex wrote in the source code. "But hey who cares its only your bank details at stake."
Mikko Hyppönen, researcher with F-Secure, discussed the worm on his company's Web site. It lets users know how to change their root password, and also warns that the software could become more dangerous.
"The creator of the worm has released full source code of the four existing variants of this worm," he said. "This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed."
This summer, Apple quickly fixed a text messaging exploit that could have affected all iPhones. The exploit took advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone.
The exploit, discovered by security researcher Charlie Miller, exposed the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari.
Miller also, back in 2007, discovered the iPhone's first security flaw. It allowed malicious Web sites to take advantage of flaws within the Safari Web browser.
[ View this article at AppleInsider.com ]
This is the same Charlie Miller that compromised the Mac in 2008 Pwn 2 Own in 2 minutes.....
Then did it again in Pwn 2 Own 2009 with the same Safari exploit but this time it took him 10 seconds.......
If you JB your iphone it will put it at risk along with giving it some additional features.
I guess if you are going to JB then change the default password on your iphone!!!
Quadra, I agree with you, but I'd say that there is a large portion of the jailbreaking community who don't understand the nature of Jailbreaking. They see it as "unlocking what is rightfully theirs" and don't understand that to do so, you have to break many of the locks that Apple has put in there for good reason.
I have many friends who ask me about jailbreaking and describe it as the best thing ever. I, as a developer, explain why the locks are there, and then it dawns on them that their phone is also perhaps the most invasive device they have, can compromise your security, and could become just as vulnerable to viruses as Windows if the locks didn't exist.
There seems to be a good portion of current users who like to unlock their devices because its "cool" and "puts you in control" but fail to grasp what those hacks also allow in.
I agree with you that most people that JB their phones do it because they think it will make them "cool".
But they have no idea what they are doing.......
It does open the phone up to a different set of vulnerabilities!
Here we have the difference between Android ie Windows, and iPhone ie Mac....
Only to find themselves watching Astley's cheesy 1987 music video.
What's with all the hating on Rick Astley I've been seeing in various blogs. Rick is da bomb!
This is the same Charlie Miller that compromised the Mac in 2008 Pwn 2 Own in 2 minutes.....
Then did it again in Pwn 2 Own 2009 with the same Safari exploit but this time it took him 10 seconds.......
What does this have to do with a jailbroken iPhone (other than it's a Charlie Miller production)?
Hacking with physical contact of the computer is data mining.
At pwn to own, the first day was to hack the Mac remotely. Not one person could do it. Nobody. No remote access, no viruses, nothing. Nobody can hack Macs remotely. To win the hacker needed local access to the machine. For his hack to work, it required somebody manually navigating to a site with malicious content.
For this hack to work in the real world, you would need to physically click a link to the malicious site somehow (in an email maybe, or a link via IM or whatever). Social Engineering. It relies on the ignorance of the computer user to do the hacker's job for him, because he can't do it himself.
Can your Mac get hacked remotely? No.
Will the hacker drive to your house and personally point your web browser to his site to infect your Mac? Not likely.
Make of that what you will.
There's something, which I just fail to understand. It's explained thousands of times and crystal clear to everyone, that being a regular legal owner of locked iPhone guarantees the smooth and issueless function of the device and decent assistance at any moment. App Store has 100 times richer collection of applications, than any illegal stores do. And people jailbreak "to be cool"... Stupid, no?
Agreed.
It's the techie contingent doing most of it.
It is like saying, I've bought a Mac as they don't get virus's, install Windows on the Mac but without virus software (as Mac's don't get virus's) and then complain if your windows installation becomes infected. Macs do get virus's if they are not running the OS that is designed to run on them, with all of the security measures Apple designs.
Jailbreaking is like putting your door key on a string behind your letterbox. People can reach in, grab the string and then the key and open the door to your house!
It's the techie contingent doing most of it.
Sure, it's "techies". Those of the kind "I just jailbroke and killed my iPhone; then I got scared and went to my buddy manager at the Store; we disabled all data on my iPhone. The iPhone is now dead and I'm writing on the forum in the hope, that someone will magically advise me how to repair it"
http://tinyurl.com/iPhonePwnWorm
Sure, it's "techies". Those of the kind "I just jailbroke and killed my iPhone; then I got scared and went to my buddy manager at the Store; we disabled all data on my iPhone. The iPhone is now dead and I'm writing on the forum in the hope, that someone will magically advise me how to repair it"
Hehe, yes, that's true . . .
They also just discovered this worm we're sure to hear about ad nauseum tomorrow... sigh
http://tinyurl.com/iPhonePwnWorm
Damn you. Now it's 26,251,291 views. LOL
This exploit requires the user to jailbreak their phone and install SSH through Cydia/whatever. I’d imagine most people would never install SSH. The article makes it sound like every jailbroken iPhone is vulnerable to this exploit.
Most of the jailbreaking is done with programs that run on your Mac or PC and automate the process. The end user can be completely clueless about what happens under the surface.
So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is.
Another thing that software can automate and programmers forgot to take advantage of.
Excuse me if I'm wrong, but this seems like a programmer's failure to me, not an end user one.
Most of the jailbreaking is done with programs that run on your Mac or PC and automate the process. The end user can be completely clueless about what happens under the surface.
So, why don't these programs also ASK THE USER to provide a password at jailbreaking time, and then set the SSH to use it on installation?
Why do they rely on the default password and an obscure warning to the user to "change it later"? End users using these tools don't know what an SSH server is.
Another thing that software can automate and programmers forgot to take advantage of.
I trust the haxie community like I trust a pitbull high on angel dust.