First iPhone worm features Rick Astley
A week ago it was manual attacks on jailbroken iPhones, now a worm, which penetrates the phone and spreads using open SSH connections, is circulating in the wild. Because all iPhones have the same password for the 'root' and 'mobile' user accounts, installing an SSH server and failing to change these passwords after jailbreaking an iPhone leaves the device wide open, allowing anyone to gain remote administrator access.
According to reports, the 'ikee' worm is largely confined to Australia because it only searches for vulnerable iPhones (via UMTS) within this IP address space. According to analysis of the ikee code by the Internet Storm Center, the IP addresses are hard-coded and belong to Australian network operator Optus. The worm itself is very simple and is written in C.
It appears that the worm does not cause any real damage – after logging into the iPhone, it copies itself onto the device, deletes the SSH service and changes the wallpaper to a photo of Rick Astley with the caption "ikee is never going to give you up (You have been Rickrolled)". It then starts searching for further iPhones to infect.
Because the ikee source code was briefly freely available to download online, ikee variants able to cause real damage or disclose confidential information may well start appearing soon. Protecting jailbroken iPhones from ikee is, however, simple – log into the iPhone (via ssh or using the terminal app) and set new passwords for the root and mobile accounts. Users should bear in mind that firmware upgrades reset the original password.
No figures for the number of infected devices are available, but an IRC chat with ikee's alleged creator revealed that he is surprised at the speed with which ikee has spread via UMTS networks.
See also:
- Jailbroken iPhones hacked via UMTS network, a report from The H.
- Apple's iPhone 3.1 anti-phishing ineffective?, a report from The H.
(crve)