[Noisebridge-discuss] If you have a jailbroken iPhone with OpenSSH installed...

Brian Johnson noisebridge at dogtoe.com
Wed Nov 4 19:50:06 UTC 2009


Glen,

The only way to get SSH enabled on your iPhone is to jailbreak it. There's a
number of ways to do this. However, simply jailbreaking it doesn't
automatically install SSH, you still have to install the "OpenSSH" package
through Cydia or another similar install program.

This really only applies to people who have 1. jailbroken their phone 2.
installed ssh 3. did not change their default root password.

If you are worried about other potential exploits by having the same
"alpine" root password as however many million iPhones there are out there,
I suggest you write to Apple.

- Brian


On Wed, Nov 4, 2009 at 11:45 AM, Glen Jarvis <glen at glenjarvis.com> wrote:

> This may not be helpful, but in case it is, I'm sending it on.
>
> My iphone is a plain old 3GS - purchased from the store - no jail-breaking
> -- completely legal.
>
> However, if the root default password is standard like that, I wanted to
> change it to eliminate possible security risks. I did the following:
>
> 1) Connected to my webserver to see what IP address is recorded (in access
> logs),
> 2) Then tried ssh'ing to root at that IP address from a terminal -- large
> delay/ctrl-c and another approach
> 3) From the phone, using TouchTerm Pro, I tried doing the same as above.
> The connection was refused "Could not connect to server"
> 4) I tried root at 127.0.0.1 and saw different behavior:
>
> SSH connection error
> debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
> debug1: connect to address 127.0.0.1 port 22: Connection..
> ssh: connect to host 127.0.0.1 port 22: Connection refused
>
> I have no direct terminal into the phone to see more...
>
> Cheers,
>
>
> Glen
>
>
> On Wed, Nov 4, 2009 at 11:10 AM, Micah Lee <micahflee at gmail.com> wrote:
>
>> Change your root password from alpine to something else, if you haven't
>> already. It looks like this Dutch kid hacked people's jailbroken iPhones by
>> sshing as root with the default password:
>> http://arstechnica.com/apple/news/2009/11/dutch-hacker-holds-jailbroken-iphones-hostage-for-5.ars
>>
>> I don't have an iPhone so I can't test this stuff myself, but I'm guessing
>> that they don't have firewalls, and if you have a 3G data plan your ssh port
>> is wide open to the internet. So anyone that knows the AT&T IP address range
>> for iPhones can scan for port 22, and then try logging in as root, with the
>> default password alpine.
>>
>> You can change your password by ssh'ing into your phone like so:
>>
>> ssh root at YOUR_IPHONES_IP
>>
>> Or from your iPhone, if you have the terminal app installed, open the
>> terminal and type:
>>
>> su
>>
>> The default password is alpine. Once you're logged in, just type:
>>
>> passwd
>>
>> And you can change your password.
>>
>> Also, I was playing with my iPod Touch and found some interesting things.
>> If you are ssh'd into an iPhone or iPod Touch,
>> /private/var/mobile/Applications/ contains all of the apps installed on the
>> device, and all the private data for them. So, for example, on my iPod
>> Touch,
>>
>> /private/var/mobile/Applications/27201D0E-D41A-4198-9FC0-185868FC28ED/AIM
>> Free.app/
>>
>> is where the AIM app is installed, and
>>
>>
>> /private/var/mobile/Applications/27201D0E-D41A-4198-9FC0-185868FC28ED/Documents/Accounts.accounts
>>
>> is where I found my saved AIM password, in plaintext. Also,
>>
>> /User/Library/Cookies/Cookies.plist
>>
>> contains all my mobile Safari cookies, including the saved ones for
>> logging into Gmail.
>>
>> There's normally a lot more info than this that can be found on iPhones,
>> so change your password if you haven't already.
>>
>> Micah
>>
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>>
>>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20091104/bfdab360/attachment-0003.html>


More information about the Noisebridge-discuss mailing list