iPhone exploit in the wild and stealing user data

iPhone exploit in the wild and stealing user data

Over the weekend news broke that a worm had started infecting Jailbroken iPhones in Australia. Nobody really took the exploit too seriously as all the 'ikee worm' did was change the phone wallpaper to a picture of 80's pop singer Rick Astley in a kind of warped tribute to the RickRolling Internet meme of last year.

However, I warned at the time that "as code variants continue to appear it is only a matter of time, and probably not that much of it, before a malicious party uses it to deliver a payload that is a whole lot more troublesome than Rick Astley" and my gloomy prediction has now borne fruit.

One researcher, Peter James of Mac security specialists Intego, has revealed that a new exploit is taking advantage of the same vulnerability that the ikee worm did, the often unchanged default SSH password of Jailbroken iPhones. iPhone/Privacy.A, as Intego have creatively named it, will allow hackers to "silently copy a treasure trove of user data from a compromised iPhone: e-mail, contacts, SMSs, calendars, photos, music files, videos, as well as any data recorded by any iPhone app".

The hacker would first need to install the tool onto a computer which would then scan for any Jailbroken iPhones connected to the networks it discovers, and assuming that the root password has not been changed it can then quietly go about its business. Although there is a chance of the thing being installed on a computer in shop, for example, and scanning for devices within range as people mill about, the actual overall risk is pretty low.

For a start it requires a Jailbroken device, either iPhone or iTouch, and it is estimated that something less than 10% have actually been modified in this way. Although this does mean a couple of million or so devices at risk, you also have to bear in mind that many of those who have gone through the Jailbreak process will be of a technical mindset. Exactly the people who read the newsfeeds, who frequent forums such as DaniWeb, who will be all to aware of ikee and the need to change the default SSH root password. All of the time the number of devices that are at risk is being reduced.

So perhaps the 75% of people who took part in a Sophos poll which asked if the ikee worm author had done iPhone users a favour by alerting them to a significant problem in a harmless way and agreed that he had were right after all. Better to get a grinning pop star on your iPhone as a wake up call to a vulnerability than have your data stolen right off the bat. That said, the ikee worm also alerted the bad guys to the vulnerability and it has not taken them long to get right out there and exploit it.

Personally I would have preferred it if the ikee chap had approached Apple with the discovery and let them get it patched before going public. That kind of disclosure is the responsible way to do it and, assuming that Apple acted quickly enough, the problem could have been corrected without any data stealing tools or faded singers being involved. Of course, Apple might say that if you breach the terms and conditions of usage of your hardware device by modifying it in this way then you deserve everything you get.

Certainly, as far as the Apple campaign against Jailbreaking goes this kind of bad publicity is actually pretty good for the company. It can, quite rightly, proclaim that legitimate users have nothing to fear and warn that the security risk is just one more reason that they should not be tempted down the Jailbreak road.

That said, some researchers are also warning that non-Jailbroken iPhones could be compromised if the bad guys look away from this particular access route and start exploiting other avenues such as the SMS hacking trick revealed at Black Hat earlier in the year.