Earlier this week, the news of the first iPhone worm made its way around the net. Since the worm only targeted jailbroken devices and then only those which had the SSH program installed, there wasn’t a need for concern on the part of most iPhone users. However, a second hacker tool which uses the same security hole as the so-called iKee worm has reared its head and this one is far more dangerous. According to security firm Intego, the new hacker tool goes after personal data stored on the device including email, contacts, SMS messages, calendars, photos, music files, videos and any other data recorded by any iPhone app.
In other words, if you’re the owner of a jailbroken phone, you should now be concerned.
New iPhone Worm Discovered
Unlike the relatively innocuous iKee worm which the creator designed more as a “public service” to alert users to the potential for malware on the iPhone, the new hacker tool, dubbed “iPhone/Privacy.A,” is the real deal. Where iKee simply switched the iPhone wallpaper to display a photo of singer Rick Astley (a nod to the internet meme of rickrolling), Privacy.A gives the user no indication that it is running on the device.
The new hacker tool also operates a bit differently than iKee does, as it doesn’t have to sit on the iPhone itself in order to inflect its damage or spread. The hacker can either load the worm onto their personal device and then monitor the network for jailbroken devices to attack or they can load the malicious program onto a computer. As Intego points out in their post, this computer could be on a public network at an Internet cafe or retail store. In that scenario, the tool would then scan for any other jailbroken iPhones that came within range of the Wi-Fi network and attack them.
How to Secure your iPhone
Although many jailbreakers are tech-savvy enough to know how to lock down their devices to protect themselves from attack, there are quite a few who have simply followed online instructions such asthese to perform the jailbreak. This group, while arguably somewhat tech-savvy, doesn’t necessarily know all the nitty-gritty details about the iPhone filesystem or its security mechanisms.
To make it easy on these users, we’ve provided steps on how to change your iPhone’s root password – the common denominator required in order for the malware to gain access to your device.
While some may argue there’s no need to change your root password if you haven’t also installed the SSH program, another necessary element for these attacks to work, we think that’s a little short-sighted. It would be easy enough for a malicious hacker to trick jailbreakers into installing SSH by bundling it with some other third-party application offered through underground App Stores like Cydida or Icy. By masquerading as something innocent like a wallpaper-changer or ringtone bundle, a hacker could easily set up a number of jailbreakers with SSH without the victims even being aware that it has been installed. Although we haven’t heard of anything like this happening yet, if we thought of it then you can bet that the hackers out there have thought of it too.
Changing the Root Password
The best protection is to simply change your iPhone root password. That will keep you safe from the current iPhone malware…as least for now. Here’s how:
- Install the MobileTerminal application from Cydia.
- Reboot your iPhone.
- Launch MobileTerminal and type in the command: passwd
- At the prompt which asks for the “Old Password,” type in: alpine
- At the new password prompt, type in a new password of your choosing, making sure to pick something strong.
- Re-enter the password to confirm.
- You’ll then be returned to the Mobile$ prompt which means the change was successful.
- Now you’ll need to change the password for the secondary admin. Type in the command login root.
- Again, you’re prompted for the old password. Type in alpine.
- Now type in the command passwd
- You’ll then go through the change password routine a second time, entering in alpine as the old password, creating a new password and then re-entering it to confirm.
- When you are finished, close the application.
Note: these instructions assume you are running iPhone OS 3.0 or higher.
Update 11/16: Intego requested that the new attack be described as a “hacker tool,” not a worm.