first, I known I'm not the first one to write/warn about this so don't
flame me for it.
I recently jailbroken my iPhone so I could take a closer look at the iPhone
and it's OS. As most people I just used the PwnageTool
from the iPhone Dev-Team. It is easy, fast and just works. So
what most people forget is that the jailbroken iPhone OS comes with an
ssh server and that the root and mobile users have their
password set to alpine (mobile password is dottie).
This basically means that everybody can log into every jailbroken iPhone
as user root. When I jailbroke my iPhone I didn't change my password right
away since I was too busy playing with the new features and I strongly
believe that many other people never changed the password of their jailbroken
Again the danger lies in public Wifi hotspots or any other situation
where you share Wifi with people you don't know. A good example is the
upcoming Chaos Communication Congress
which has one of the most hostile (wireless) networks I know.
So what can happen if you leave your iPhone's password unchanged? That is
what I cooked up the last few nights.
In further detail this means all your private data is gone, just like this:
- Anyone can log into your iPhone as user root and/or mobile
- Anyone can copy files to and from your iPhone using scp
SSH_PARAMS="-q -o NumberOfPasswordPrompts=1 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
scp $SSH_PARAMS root@$IP:/var/mobile/Library/AddressBook/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/SMS/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Notes/* /tmp/yourdata/
scp $SSH_PARAMS root@$IP:/var/mobile/Library/Calendar/* /tmp/yourdata/
The code shown above simply copies your Addressbook, SMS, Notes, and Calendar
from your iPhone using scp (secure copy - part of ssh). I know there is much
more to steal like: photos, email, or vpn configuration. This attack is
so simple everybody can do it without any special knowledge or tools.
Getting your personal data stolen can happen to you anywhere but there is another
threat that is more likely at events like the Chaos Communication Congress, defcon,
and any other conference with a high number of jailbroken iPhones: a worm.
A worm that simply spreads using ssh/scp and the default root/mobile password can be
written in bash (which is installed on all jailbroken iPhones) in about 4 hours.
The worm just (tries to) copies itself (a bash script) to every host on the
local wifi network in the background. Background tasks can be easily setup using
launchd. Just add a new task that runs the worm shell script every couple of minutes.
This is no big deal for anyone with just basic understanding of ssh,scp,bash, and
launchd/launchctl. I was able to do this in an evening mainly using Google to
get the appropriate launchd plist syntax.
Don't get me wrong, I don't want to encourage anyone to do all this. I just show
you how damn easy this is. So please change your root/mobile password on your
jailbroken iPhone - or somebody else will do it for you.
Btw. if you are looking for the images
that the iPhone takes about anything you do some of these are located here: /var/mobile/Library/Caches/Snapshots
(of course this is not new either see here).