iPhone security problems bring new risks
Network World - In just four days, not one but two worms targeting the iPhone have emerged. Both of the worms target the same vulnerability, a default password in the SSH server that is installed on jail-broken iPhones. While one worm is a mostly a nuisance, the second siphons personal information from the iPhone, which makes it a serious identity theft threat.
The vulnerability targeted only exists in an iPhone that has been jail-broken, meaning it has been opened to install software from sources other than Apple's iTunes system. One of the first applications installed on a jail-broken phone is a Secure Shell (SSH) server that enables encrypted terminal connections to a command-line interface. Via SSH, users can run basic Unix shell commands on the iPhone, making it very flexible. I have to admit that I have jail-broken my iPod Touch, which is almost identical to the iPhone, in order to experiment with non-approved applications. SSH itself is very secure, however, when first installed it has a default root password so that users can connect for the first time. The instructions accompanying the various flavors of jail-breaking software have large notices warning users to immediately change the password, but many don't.
The first worm that emerged just over a week ago is really more of a proof-of-concept. Promoting the Internet-meme of "rick-rolling", it brings artist Rick Astley into the user's phone. The worm, named "ikee" by the author, installs a picture of Rick Astley as the default background superimposed with the words "ikee is never going to give you up". Antivirus vendor Sophos provided an analysis and code samples of the worm in a blog post.
While mostly harmless, the worm is difficult to remove and creates a nuisance. Reading the source code of the worm, you can see the author comment "People are stupid, and this is to prove it so RTFM its not that hard guys", presumably referring to the warnings about changing the SSH password, which were not followed.
Less than one week later, Mac security vendor Intego discovered a second worm targeting the same vulnerability. Unlike ikee, the worm "iPhone/Privacy.A" is not just a nuisance or a proof of concept. This worm sits on a PC and scans the IP space for signs of a Wi-Fi-connected iPhone with the default SSH password. Once it finds one it siphons all the user's personal data, including e-mail, contacts, photos and other data. There is no indication that the second worm was written by the same author of the first worm, who has since been identified.
Both of these worms do not target a system vulnerability per se. The process of jail-breaking is not in itself the cause of this vulnerability. What both worms demonstrate is the increased interest that hackers are showing to mobile platforms, especially the very popular iPhone. With approximately 6% to 8% of iPhones reportedly jail-broken, these types of worms have plenty of targets. Unfortunately, this is only the beginning of attacks against mobile devices, a phenomenon predicted by most security professionals more than a decade ago. Regrettably mobile devices still do not have security controls much beyond a basic firewall and a closed set of applications. That is not enough.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts