iPhone Rickroll exploit gets nasty, can now steal personal data
What started out as a mostly harmless annoyance coded by a young Australian lad to mess with his friends has turned ugly [Insert your own Rick Astley joke here].Intego reports that the exploit used by the ikee worm - which only swapped out users' iPhone wallpaper for a mugshot of the ginger king of the 80s - is being used to steal personal data from affected devices.
The worms are only a concern for those running jailbroken iPhone and iPod touches, of course. Still, even at Intego's estimate of 6-8% of those devices being jailbroken that puts the number at risk at well over 2 million.
It's simple enough to protect yourself - all you have to do is change your root password to something other than the default 'alpine.' Our friends at TUAW posted the following instructions:
Type: ssh root@(iPhone IP address)Turning off SSH is an option, too, but you should still change the password as well.
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.
I don't know if this is a labor of love or merely the brainchild of four very gifted games designers, but Level Up is a really weird mash-up of gaming elements that you have probably never seen in a Flash game before.
Let's start with the premise itself: Groundhog Day meets Memento. The game experience revolves around 'days': you explore the world and the clock slowly ticks towards the evening. You bounce around picking up gems and talking to the denizens of 'Level Upland'. Eventually you feel tired and head back to ...
Reader Comments (Page 1 of 1)
Evenio said 2:39PM on 11-11-2009
It bears mentioning that this exploit, in whatever form, only affects iPhone/iPod touch users who:
1. have jailbroken their device;
2. have installed SSH support via Cydia;
3. have ignored the warnings, both from the community at large (easy to miss) and accessible from the front page of Cydia in their SSH how-to guide (less easy to miss), to change the root password; AND
4. leave SSH access on all the time.
In other words, a minority of a minority of a minority of a minority.
That said, changing the root (and perhaps mobile) password really should be made a mandatory step in the jailbreaking process, in the form of a simple prompt with adequate explanation which doesn't accept "alpine" as an answer. Whether the change can be made "in vitro" during the ipsw build, or must be made after the jailbroken device is up and running, it should be made early, to reduce or eliminate the likelihood that less technically-inclined users neglect to change the password themselves.
I also recommend that SSH users install SBSettings, which provides a very convenient way to turn SSH access (among other things) on and off as needed. I never have it on unless I'm actually using it right that moment, and I was in that habit long before any malware appeared.
Reply
Ajit Anthony said 2:54PM on 11-11-2009
The headline is deceiving. Jailbroken phones are the only ones affected, make sure to put that in the headline.
Reply
josh said 3:40PM on 11-11-2009
the problem is that this "exploit" is not actually an exploit. It's merely a malicious program that exploits the end users stupidity rather than the OS itself. The real news should not be about this program, but about the people dumb enough to not have changed the default root password on the iphone.....
Reply
Jason Hall said 5:17PM on 11-11-2009
And don't forget, after opening the terminal to login as root/alpine, then do the passwd change.
Reply
Generic said 3:47PM on 11-11-2009
Apple searching for reasons why people shouldn't jailbreak iPhones :p
Reply
bobbylashley said 7:43AM on 12-10-2009
never gonna give you up, never gonnna let you down, never gonna turn around and desert you, never gonna make you cry, never gonna tell a lie, never gonna say goodbye and hurt you.
Reply