iPhone Security Issues Not Exclusive To Jailbroken Devices

December 4, 2009

In the past few months there have been multiple worms released into the wild that affected inadequately protected jailbroken iPhones. However a Swiss iPhone developer has published research that indicates that there are also security vulnerabilities affected un-jailbroken devices too. This doesn’t come as much of a surprise to most as it was only a matter of time.

The developer, Nicholas Seriot has created a proof of concept app called SpyPhone to demonstrate how Apple’s own APIs can be used to read and edit user’s address books, gain access to the user’s web surfing history or even recent location information. Although this is not as bad as what can be done with root permissions to the device, it can still effect users, especially when they think they are safe.

For the attacks to work, the application with the malicious code would need to get through the App Store approval system, however this wouldn’t be very hard as pointed out by many developers, as Apple doesn’t check source code but does have a kill switch on every app. The code would be delayed, so that it only beings to work so many weeks after the app is released or it could be an encrypted payload.

Nicholas Seriot detailed these possible iPhone privacy risks in a talk he delivered in Geneva, during which he also outlined possible defense strategies, suggesting that Apple should design the iPhone OS to require users to authorize read or read-write access by iPhone applications to potentially sensitive on-device information such as the Address Book, add firewall functionality to the device and ensure the keyboard cache is not as readily available to third-party applications.

Developers Research

Related:
How To: Change Your iPhone’s SSH Password

Dutch Hacker Hack’s Into Jailbroken iPhone’s
iPhone Worm Rickrolls Jailbroken Devices
Second iPhone Worm Used For Malicious Purposes


Second iPhone Worm Used For Malicious Purposes

November 23, 2009

There has been news today of yet another iPhone worm that affects users who have unsecured SSH installed on their device.

Security Company, F-Secure, has unearthed this latest worm for the iPhone which targets people in the Netherlands, as it did before with the first exploit of unsecured SSH. It targets users who use their iPhone to online bank with ING. Much like a phishing attack, it redirects the bank’s users to a look-a-like website with a log-in screen.

The worm only affects jailbroken devices as before, and only devices with SSH that has the default password are affected. This latest worm is more serious than the ones prior, as they were created to warn people, that things such as this could happen. The security company, F-Secure, have also said that it can behave like a botnet and send itself to other un-secure devices on a local WiFi network.

The phone can be controlled by the hacker remotely without the knowledge or permission of the user. Hackers can ring people, text people, copy your contacts or what ever they wish with your device if it’s left open. At the moment it’s only spreading around the Netherlands, but soon enough malicious hackers will most likely take advantage of the users who don’t change the default password.

A spokesperson for ING Bank said that a warning was going to be put on the bank’s official website.

“We are also briefing call centre personnel,” she added. “It’s important to remember that the worm only affects jail-broken phones and it is only aimed at customers in the Netherlands.”

If your device is jailbroken and you believe SSH maybe, or is installed then please read this guide to secure your device. Many other guides will not fully protect you as they only change the mobile user password and not the root.

If you wish to read more from F-Secure on this issue click here.

Related:

How To: Change Your iPhone’s SSH Password
Dutch Hacker Hack’s Into Jailbroken iPhone’s
iPhone Worm Rickrolls Jailbroken Devices


iPhone Worm Rickrolls Jailbroken Devices

November 8, 2009

Over the past week there has been a lot of news over unsecured SSH on iPhone. First about the Dutch hacker who wasscanning the network for jailbroken users who had not changed their default SSH password. Now a hacker who goes by the name of “ikee” from Australia, created a worm that changes the home screen background to Rick Astley.

As I’m sure your aware by now this only affects users who have jailbroken their phone and installed OpenSSH, not just general users or who have jailbroken their device. If you have jailbroken your device and have got OpenSSH installed please read this guide on how to change your default password to ensure none of these worms or hacks will affect you.

Rickroll iPhone Worm

ikee says this is how the worm spread: “The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra’s IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT’d) then a random 20 IP ranges. I’m guessing a few phones hit a range that another vulnerable phone was on.”

Once one phone is infected it searches for phones with the default password and then begins the process again.

Dutch Hacker Hack’s Into Jailbroken iPhone’s

How To: Change Your iPhone’s SSH Password


iPhone 3G & iPod Touch Can Now Edit Video

September 14, 2009

Due to the recent 3.1 iPhone OS update, the iPhone 3G and iPod Touch are now able to edit video just like the iPhone Apple Logo3GS. Both devices still can’t record video, unless jailbroken, so this may not come as a big tool for most people.

To get it to work, first you must get someone to email you a video file. Once you have it, you can open the email and select the arrow on the lower menu bar. This will give you five options: Reply, Reply All, Forward, Save Video and Cancel. Once you select Save Video, the video will get saved to your Camera Roll.

Go to the Camera Roll and select the video, you are then able to watch the video and edit it. To edit a video, tap on the timeline at the top of the page, you can then drag your finger to the start and end points on the video. When you select trim, you then have the option to trim the original video or save the trimmed potion as a new clip.


Numeric Battery On iPhone Killing Battery Life?

August 8, 2009

There has been many reports that enabling the numeric battery feature on the iPhone actually kills the battery life Apple Logoquicker. Some people have reportedly found a massive increase in battery life after turning off this simple feature. Especially those with jailbroken phones who use SBSettings to turn on the feature.

Some people oriignally thought the battery died quicker, but thought it was a psychological thing and that you thought it was as you could see the percentage go down. However I’ve now turned off the numeric battery for good and hope I get better battery life as currently it’s not lasting a whole day with light use.


Dev-Team Confirm No Need For New Jailbreak Tools For 3.0.1

August 1, 2009

The iPhone Dev-Team have confirmed that there is no need for them to release new tools for Jailbrakejailbreaking the latest firmware 3.0.1.

They released this information:

The 3.0.1 release is a “branch” from 3.0 that occurs (code-wise) before all the 3.1 betas. The programs redsn0w needs to change for the jailbreak are identical when you compare the 3.0 and 3.0.1 versions. It seems pretty much the only changes Apple made were for the SMS bug, which affects programs that redsn0w doesn’t touch. That’s why you can re-use redsn0w 0.8 on 3.0.1 even though it was written for 3.0.

And since 3.0.1 doesn’t touch the baseband either, ultrasn0w 0.9 works for those needing the soft unlock. Just install it from the repo666.ultrasn0w.com repository using Cydia as usual.

We’ll at some point fix redsn0w to recognize both 3.0 and 3.0.1 IPSW’s, but really that’s the only change that would be made to it. Everything else would be identical, so there’s no need to wait for the “proper” version that recognizes the 3.0.1 IPSW as valid.

So to jailbreak the new firmware just use the old tools and you should have no problems.


Apple Releases iPhone OS 3.0.1

July 31, 2009

Apple earlier today released the latest iPhone OS, version 3.0.1. This update fixes the major SMS security issue that theyiphone_os_3 have finally fixed.

There hasn’t been many changes in the latest firmware release that have been found other than the SMS fix, feel free to email them in if you find any.

If you want to jailbreak your device it has been reported that in most cases it works fine but maybe wait a while until everything gets checked out.