Sign up to our newsletter
I don't really want to keep banging on about jailbroken iPhones when there are threats out there that affect many more people (though according to Intego, 6-8% of iPhones are, in fact, jailbroken, so I don't want to minimize the threat either).
I'm quoting Intego because they've just blogged (http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/) what I think is a critical development. They claim to have found a hacker tool that uses the same vulnerability that the ikee worm uses in order to connect to any jailbroken iPhone where the owner hasn't changed the root password. They say that this threat, which they call iPhone/Privacy.A, can be installed on Macs or PCs and can work under Unix or Linux. It's not clear from the blog whether it works under Windows: however, if it doesn't, a version could obviously be created that would. It isn't a virus or worm, but it allows a criminal to steal information from a jailbroken iPhone without advertising its presence,
Intego are, quite rightly, pointing out the dangers of jailbreaking. If you do have a jailbroken iPhone, you do need, at the very least, to change the root and mobile passwords as soon as possible. This threat is rated as low risk by Intego, and I think that's about right at present. However, the default password genie is well out of the bottle now, as I mentioned here and here, and iPhone owners need to consider the risk not only from the threats reported so far, but the potential risk from future threats using similar approaches.
Forget all the verbiage about pranks: there's nothing funny about this.
(Hat tip to Graham Cluley for alerting me to the Intego blog.)
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET