November 12, 2009
Just three short days ago, this blog made the not-so-difficult prediction that the Australian born iPhone worm “iKee” would undoubtedly lead to much more nefarious payloads born from malicious intents. Yesterday, we began hearing reports of a new cross platform iPhone malware, dubbed iPhone/Privacy.A which is being used to mine iPhones for coveted personal/confidential information.
iPhone/Privacy.A is a computer virus that, once installed on Windows, Mac, and Unix boxes, begins to scan the local network for jailbroken iPhones or iPhone Touch devices with open SSH ports. iPhone/Privacy.A allows an attacker to silently copy the email, contacts, SMS messages, calendars, photos, music files, videos and any data recorded from various iPhone apps from the phone to the infected system.
As you’ll recall, jailbreaking is the term that is applied to the technical process of reloading an iPhone or iPhone Touch with a custom firmware that takes advantage of an early iPhone vulnerability that would allow a user to break out of the security controls preventing a user from accessing system files. The issue that has been at the core of heated discussion in the Apple/iPhone community is that by jailbreaking their device, users are opening themselves up to any number of known and unknown vulnerabilities. One of the vulnerabilities that is introduced is the fact that the device is now remotely accessible by SSH with a default password of ‘alpine’. If the user that just jailbroke their device either forgets or chooses not to change the root password on the device, every person that knows the default password (half of the world at this point) knows exactly how to connect to the vulnerable iPhone. The username/password combination that grants this access is the root account, which means the attacker would have unfettered access to the entire iPhone directory structure and data.
The current iteration of iPhone/Privacy.A does not appear to actually be infecting iPhones and will not spread from iPhone to iPhone as it currently infects computers and attacks iPhones. iPhone/Privacy.A appears to be written in Python, which is highly portable and open source for which there are compilers and translators that would make it possible to run on systems where the interpreter is not currently installed. This could mean that it is entirely possible for this virus to be modified into an actual worm that infects iPhones and spreads to other iPhones.
The most immediate course of action to protect your jailbroken iPhone from this attack (and others that will follow) is to change the device’s root password, per the instructions that we linked to above.
- Troy H. Vennon, Global Threat Center Research Engineer