The Ikee iPhone worm has been hitting the headlines this week and although there doesn’t seem anything malicious about this particular one – although many would say Rick Astley wallpaper is inhuman enough - the code has been made public, so it’s not beyond the realms of possibility that we’ll be seeing some far more serious versions in the future.
Thankfully, there is a very easy way to avoid becoming a victim of Ikee or any of its future variants and that is to change your root password, as by default it is the same on all phones, hence the problem. The following applies only to those who have jailbroken their iPhones and have installed SSH. If you aren’t sure if that applies to you, then it almost certainly doesn’t!
Changing your root password is simple, just follow these instructions:
- You’ll need MobileTerminal installed, so if you don’t have it, open Cydia and search for it under the search tab. When you’ve found it, select it, tap install and then confirm.
- Return to Cydia and then close it by pressing the Home button.
- Select MobileTerminal from your list of installed Apps.
- When it opens you’ll be presented with a terminal screen familar to anyone who has worked on OS X or Linux computer operating systems.
- Type su and then tap return.
- Type alpine and tap return again.
- Now you should be logged in as the root user, so it’s time to change your password to something new.
- Type passwd (note the misspelling) and tap return.
- Type your new password and tap return, when you’ll need to re-enter your new password for verification, followed by return again.
That’s it! As usual with important passwords, avoid using dictionary words and if you’re the forgetful type, make a note of it somewhere safe.
![Jailbreaking news: Trick iTunes into thinking you have iPhone OS 3.1.3 [UPDATED]](http://www.iphonefreak.com/wp-content/themes/freshnews/thumb.php?src=/wp-content/uploads/2008/10/iphone3gofficial.png&h=28&w=28&zc=1&q=80)
November 10th, 2009 at 3:41 pm
Sigh. I see this half-way advice all over the net:-(
YES, you should reset your root password to something obscure.
BUT, you are still vulnerable to brute force password attacks, and these are widespread and automated on the net.
It is far, far better to lock down your ssh properly:
– make sure you’re on a firewalled wifi net when you jailbreak
because you are vulnerable until you’ve secured your phone
– make yourself a personal ssh keypair on your main machine
– copy the public key onto the phone with ssh and put it in
your .ssh/authorized_keys file; make sure the permissions are
right (no group/other write permissions on ~, ~/.ssh or ~/.ssh/authorized_keys)
– LOCK DOWN YOUR /etc/ssh/sshd_config file:
– disallow passwordauthentication
– disallow root login
Now the viruses/worms/script-kiddies can bang their heads against your phone. And as a bonus, _you_ can log into your phone without mucking with tedious passwords if you run an ssh-agent on your main machine.
- Cameron Simpson
November 11th, 2009 at 7:44 am
Thanks Cameron,.. but could you explain this for noobs like me who don’t know much about using SSH?
Thanks