∞ Apple responds to reports of new iPhone worm

Apple on Monday responded to reports that another iPhone worm has been reported attacking iPhones. iphoneAccording to the reports, the worm allows hackers to steal information from a users jailbroken phone. A jailbroken iPhone is one that has been modified to allow the user to install applications and other software not approved by Apple.

But as this new worm shows, jailbreaking your iPhone may have consequences.

“The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software,” Apple spokesperson, Natalie Harrison, told The Loop. “As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.

Security company Sophos reports that the worm attacks users on UPC in the Netherlands, Optus in Australia, and T-Mobile in several countries worldwide.

  • Steve S

    This worm relies on the exact same behavior. So, jailbroken devices with a non-default password are safe.

  • Is it me or does this kind of response remind anyone else of Microsoft’s comments when viruses started infecting PCs back in the late 80’s? “If those silly users would just use the products in the way we intended, none of this would happen..”

    I work in the computer security industry so maybe I’m more cynical than most about this kind of dismissive response. The truth is that Apple’s iPhone is out there, has a ton of limelight shining on it and it might be better PR for Cupertino to be seen to be acknowledging the risk and planning to fix it rather than pointing fingers and blaming customers. After all it’s not a big stretch to think that maybe Apple should be making the iPhone hack proof, like we’ve been asking MSFT to do to Windows all these years?

    For most users this isn’t an issue but the security teams inside enterprises take this kind of thing very seriously. Getting a bad rep, deserved or not, with those guys can cause serious adoption issues down the road. This is the main reason why most large corps require solutions like GoodLink for mobile users as it lets them impose strict policies for security.

    • @Howard Price: Apple is definitely working to make the iPhone hack proof. But in the meantime, if you find a hack that works and intentionally apply it, you’re going to open yourself up to other problems.

      Just because a vulnerability lets you unlock your device, it isn’t suddenly not a vulnerability.

      • I agree that you get what you ask for if you hack your phone. No question.

        I guess my point was that it’s not really great for Apple’s image to have a phone that’s hackable then blame people for hacking it. After all, it’s Apple’s reputation at risk here as most people won’t read passed the headlines that are shouting about worms on the iPhone.

        Once a product gets that reputation it’s a very hard thing to turn around.

        • I see no evidence that the iPhone is getting that reputation. It’s akin to suggesting that people are afraid to drive cars because people who operate them drunk sometimes kill people.

    • I read “If those silly users would just use the products in the way we intended, none of this would happen..” as “It would be silly to use products the way they intended, none of this would happen” …

  • @Peter Cohen: I didn’t say it had that reputation. What I did say that once that reputation forms, it’s very hard to turn it around. It doesn’t take too many hysterical headlines (justified or not) for people to start to associate attributes with a situation, person or device. We’ve seen it a million times before.

    My comment is about Apple’s response to this issue. It’s their reputation on the line. They need to be mindful of that and make sure that they are not perceived of being dismissive of a problem that has plagued the PC business for decades. There are a lot of twitchy reactions to security issues. Cupertino has a window where they can be seen as understanding this and taking it to heart. If they miss that then they will have a harder time convincing people that they take this as seriously as they should.

    Your analogy is not 100%. It’s more like people being afraid that someone else (drunk or not) can control their cars after they open the door. That’s pretty much what’s happening with the folks who jail break their iPhones. Unless they are very aware of system security (which I would guess the majority of them are not or this worm would have no chance as all the default passwords would have been changed) then they don’t know how to protect themselves now that the controls that Apple did provide no longer function.

    • Apple’s made it clear to anyone listening that the unlock itself is what makes the phone vulnerable. There’s nothing you can do to reach the people who aren’t listening, because they won’t listen to you.

      • True it’s the act of jail breaking that lets this worm in but the fact that the phone can be jail broken in the first place shows that there’s already a vulnerability to be exploited.

        My problem with all this has nothing to do with whether the phone can be hacked or not. It’s the tone of Apple’s response to all this. I truly don’t believe that any high tech company can afford to just push blame for security back on the end user. That path leads to the fears that Windows users face today and does nothing to reassure pensive enterprise buyers that iPhone (and through association the OS it’s based on) is too much different from the other security nightmares they face on a daily basis.

        Maybe I just expect more of Apple because they are – Apple. They won me over many years ago with product design, incredible usability and attention to detail that caught the whole industry off guard. That’s the Apple I expect to see step up and show us how secure technology can be. Do I expect every product to be perfect – no. Do I expect Apple to handle the issues around security better then Microsoft – heck yeah.

        • @Howard – Sorry, but I think Apple’s response was dead on. The iPhone is basically secure. Apple has responded promptly to the few times a direct exploit has been found.

          How does Microsoft respond if you install a hack that disables WGA?

          How has the “community” responded to Apple updating the firmware to reduce the chance of exploits?

          “They’re just trying to stop us using our phones when and where we want!”

          Seems to me they’re trying to stop OTHER users from using your phone when and where you don’t want.

          Just a thought.

  • vectrex

    A non hacked iPhone is not useable !!! i love my jailbreaked iphone ! now i have, Wallpaper behind the Icons, Multitasking, VideoRingTone,i can make Videos,send MMS since a long time before Firmware 3.x , i can Stop processes, ContactPhotos with Shortcut to dial the number, Can mount my iPhone 3G over Wifi onto my Ubuntu Desktop, i dont need that fu**ing iTunes Shi*. See new Emails, SMS,MMS,Twitter, Calender entries on the LockScreen. The Wather icon shows the real weather with temperature , and not all day all night sun. You just have to change the SSH password from “ALPINE” to an other ! thats all, so the iPhone is secure !

    • Gustav

      Funny, my non-hacked iPhone seems perfectly usable to me.

      • dunuck

        Thats because you never tasted a jailbroken phone 😉

  • dunuck

    Shut the f**k up already people

    You all sound like f**king old noobs, whining jailbreak is bad hack hack the other bla blah blah

    I have a jail broken iphone 3gs and an ipod touch 2g

    and they are just as safe from this attacks, as your precious unhacked iphones/ipods

    wait what? come again just by changing the default root and mobile password, my ipone and ipod became invulnerable to this attacks

    How ? tutorial howto change root password:

    1.Get Mobile Terminal from Cydia

    2.Open Mobile Terminal and type the following: su (press return)

    -type root (press return)

    • the terminal will ask for password – type alpine (this is the default root password);

    passwd (this command changes active user password, we are with root user now so it will change root user password), then type your new password and confirm it

    (repeat the same process for changing the mobile password)

    I knew that was iphone is vulnerable for attacks when I have opened SSH port and default root password, every attacker can do everything this is why i changed the password. This is the most efficient way to protect your phone. Cracking the new password on the iphone will be nearly impossible

    n addition to changing the user passwords for your iPhone, another good security measure is to use one of the jailbreak apps like BossPrefs or SBSettings to have a toggle that will disable SSH when not in use

    That’s it The jailbreak is the most wonderful thing that could have happened to the iphone/ipodtouch

    you have access to tons of useful apps that would never be available on the appstore, like

    winterboard: lets you create and use different themes for the iphone/ipod

    SBSettings: is a jailbreak application that brings various toggle switches directly to iPhone’s home screen that are available in the Settings app. quicker way to manage iPhone settings such as disabling or enabling features like Wi-Fi, Bluetooth, 3G

    -backgrounder (multitasking)

    -3G unrestrictor: under the 3g network it lets you download files longer than 10mbs, watch hd youtube videos, make voip calls etc.

    -yourtube: a useful plug-in for the youtube app, that lets you download and manage your videos

    -ifile lets you browse your entire file directory, watch mov,mp4,3gp videos, photos and much more

    -cycorder: video recording application for the iphone 2g and 3g

    -Categories: If you happen to be an app junkie like me, you would know how overwhelming all those icons spanning across five, ten or even more springboard pages can be. This app, which is simply and appropriately called ‘Categories’, allows you to fix just that… it lets you categorize all your apps into nice tidy folders

    • emulators: gameboy advance, snes, psx etc

    -installous/appsync: these tools allows you to download,install and sync with itunes pyrated paid apps (i admit it, 98% of my apps are pirated apps, i have like 300% worth of cracked apps)

    And many others useful apps

    ohh did i forget to metion that with the jailbreak you have access to a tool called ultrasnow, and balcksnow which lets you unlock your iphone

    meaning: you can use it with any GSM network IN THE WORLD. pretty cool right?

  • Steven

    Well, after that filthy comment, I’m not gonna reply to “dunuck” and have him / her think badly of me. I didn’t know that God actually responded to God’s creation like that but obviously God told us all, didn’t He? And then pronounced to explain to us just what Gods opinion is. We should all do as he said!

    Sorry dunuck, I mean God. I would say you don’t get too much respect out there in the real world, do you? Telling us all to “shut the !@#$ up” and then letting us all hear what you have to say. Wow man..I mean WOW!! Way to go!!

    I’ve JB’n my iPhone sense the 1G and never had any complaints either to the Dev-Team, nor Apple. You need some therapy dunuck. Your one, anger fueled, control freak.

  • dunuck

    dear steven i told you all to shut the f***k up because of the comments that were getting flooded with bullshit and stupidity

    like all the comments discussion whether or not it was apple responsibility, saying jailbreak is bad should be eliminated etc.

    My conclusion Apple doesn’t have to take any responsibility for this worm or any other that affects jailbroken iphones. Because the user intentionally takes all of those protections implemented by apple in order to “jailbreak”. Dont get me wrong i think the jailbreak is the best thing that could have happened to the iphone

    Is the Users responsibility to make sure he/she knows all the risks and possible vulnerability

    Now that this worm showed what they were capable of, unconscious jailbroken users will or maybe will not change their root passwords. It is their own fault if they don’t take security measures (in this case changing the default root password, or turning off ssh)

    I would like to add also, that its not the jailbreak itself that makes the iphone vulnerable to this worm, you have to download and install open ssh from cydia, and as i said before just by changing the default root password YOUR IPHONE WILL BE SAFE AND INVULNERABLE to these attacks

    Also its not like Apple is not trying to kill the jailbreak look at the new iphone 3gs and ipod touch 3g they both killed the 24Kpwn bootroom exploit, they also implemented a new system of ECID checks which only allow ipsws signed by apple servers to be installed into the iphone/ipod

    Finally i will make a silly comparison being attacked by this worm, would be like you turning off the firewall of windows and any other protection

    I know is a silly comparison but you can see my point

    “never had any complaints either to the Dev-Team, nor Apple” Neither did I

  • cool446

    dunuck is right the jailbreak is the best thing to happen to the iphone/ipod touch… besides we paid for the iphone/ipod touch… is apple going against our rights that we PAID for it!!!.. so apple should mind their own business about us costumers… and yeah almost all my apps are cracked too so what??… the people who crack the apps pay for them… they are sharing IPA’s …. is that really illegal?? NO!!!! y?? because the person who cracks it is SHARING it!!!! and apple should allow some apps that are jailbroken apps like dunuck said…. thats why people JAILBREAK!!!!!!!!! it adds more cool features to the iphone/ipod touch…. so i think everyone should jailbreak their iphone/ipod touch…..