New iPhone password: "ohshit"
A new version of the worm infecting insecure jailbroken iPhones resets the password. Using password cracking software John the Ripper, Paul Ducklin from Sophos has succeeded in determining that the password entered by the worm on infected iPhones is ohshit.
The worm exploits the same issue as its predecessor to gain access to iPhones – they all have the same system password ('alpine'). Users who have jailbroken their phones to deactivate Apple's rights management and have then installed an SSH server are inadvertently allowing open root access via the web.
And as expected, the early 'just for fun' worms are being followed by genuine spyware. According to Sophos, the worm, known as 'Duh', collects mTANs for online banking and connects to a central control server. It also overwrites the /etc/master.passwd file with its own version containing a new password hash. Ducklin has, however, succeeded in cracking this using open source program John the Ripper.
According to available reports, Duh does not appear to have spread widely. Users who have not jailbroken their iPhones have nothing to fear. By contrast, users who have jailbroken their iPhones and subsequently installed an SSH server should, as soon as possible, set a new password. If in doubt, it is always a good idea to check the passwords for the root and mobile accounts, just to be on the safe side.
- First iPhone worm features Rick Astley, a report from The H Security.
- Jailbroken iPhones hacked via UMTS network , a report from The H Security.