1 out of 20 iPhones/iPads can be hacked in less than a minute

[alexalex]

1 out of 20 iPhones/iPads can be hacked in less than a minute ? what about yours?

You just got your new and shiny iPhone and you are ready to load it with the coolest apps. A minute before you use iTunes store to buy some apps, your friend is calling you.

You: ?Hey dude, I?ve just got my iPhone and I?m on my way to iTunes to do some shopping?.

He: ?Are you nuts??? Paying for apps????

You: ?Is there any other option??

He: ?Of course there is. You just have to jailbreak your iPhone?

You: ?Jail? Break? What do you mean??

He: ?You let your iPhone out of Apple?s jail and then you can do whatever you like. Everything is accessible ? the coolest games, the best apps, the most amazing wallpapers and themes ? and you don?t have to go through iTunes anymore!?

You: ?Wow, I?m going to jailbreak my iPhone!!!?...

So jailbreaking is legal, I can get tons of apps, I am the master of my iPhone ? where is the problem?

The problem is, as usually in security issues, you ? the human factor.

It is very easy to jailbreak an iPhone and you don?t really need to understand much about this process. Anyone can do it and it takes only couple of minutes. There are several methods for jailbreaking and you can find the popular ones easily.

And here is the catch ? some methods for jailbreaking install a small software on your iPhone that is calledSSH Service. This software gives you a way to communicate with your iPhone remotely and with full access to any part of the system. You don?t have to know what is SSH and what is a service and actually most of the jailbroken iPhone users never heard about it before.

However, this SSH service also opens a small window to the world?

Let?s try to simplify it by using an analogy ? suppose you have a nice and well-protected house. You have doors, windows, steel grates and an alarm system that protects all the entries to the house. Now someone tells you that you if you remove the windows, doors and grates and disconnect the alarm system in the first floor, you will be able to walk freely into your house, you will see the view clearly and your cat will come and go as he likes.

Unless you live in an Israeli Kibbutz, your response will be ? ?are you nuts? everyone will be able to come inside, steal whatever they want, see everything I?m doing, eat my food and sleep in my bed.?

Did you ask the same question before you jailbroke your iPhone?

Probably not. Let?s see what can be the result of opening this small window in your iPhone....

Our field experiment

In order to understand better this phenomenon, we did an experiment in a small airport in Europe. It was a midweek day, around noon, where the airport was very quiet and not so busy.

We connected our non-jailbroken iPhone to the Internet via the free WiFi service and scanned the network. We found out that about 6% of the Apple devices had SSH service installed and waiting for remote connections. We tried to hack into them using the default password (in our experiment, once the default password was accepted, we logged out and disconnected immediately without violating the privacy of the user).

The result was amazing: about 80% of them where hacked immediately!!!

It means that about 5% of the iPhones in the airport were jailbroken with SSH service installed and a default password that was never changed.

We repeated this experiment in a small university and the results where about the same ? 4-5% of the iPhones were jailbroken with SSH service installed and a default password.

It means that about 1 of 20 iPhones/iPads in use can be easily hacked and the most sensitive and confidential data can be stolen....

How to hack into iPhones?

In order to show how easy it is for every non-technical user to hack into iPhones around him (as long as they are connected to the Internet through WiFi), we will demonstrate this process using two free iPhone apps. It is important to mention that during the hacking procedure, the victim (the jailbroken iPhone user) is not aware to the hacking, he doesn?t see anything special on his screen and the whole process is stealthy and transparent. Our goal is to increase the awareness of the iPhone users to their security and privacy, and not to encourage hacking of iPhones, which is definitely illegal.

The first free app, Fing, can be downloaded through iTunes store. This app is used to scan a network and look for connected devices....

Now we are going to use the second free app, Mobile Admin, which can also be downloaded from iTunes store.

This app lets you communicate with the remote SSH service....

http://blog.gostorm....-than-a-minute/

[evo_spook]

I jailbroke my original iPhone so that I could put on a pay as you go (as it was bought cheap abroad) and was a pain to update and jailbreak, but with getting a new one on a contract theres really no need for me anymore, I prefer it to just function then mess around with it.

and while So jailbreaking is legal, I can get tons of apps, I am the master of my iPhone ? where is the problem?

is legal, loading pirated apps isn't, if 99p is too much for someone and giving the developer some support then really theres no hope for them.

[djdanster]

Pretty cool but scary experiment. Does anybody know what programs they would have used to scan the "network" for SSH enabled iPhones?

[alexalex]

Pretty cool but scary experiment. Does anybody know what programs they would have used to scan the "network" for SSH enabled iPhones?

Free Fing app. It's in the article

[evo_spook]

I never agree with how they tell people what tools they need to download to this hacking, its not very responsible as you'll get any lame script kiddy downloading.

When you root your android device I wonder i do you also change the root password?

[djdanster]

Free Fing app. It's in the article

Thanks :).

Damn, I wonder how I didn't see that last paragraph :/

[n_K]

"we did an experiment in a small airport in Europe"

"We tried to hack into them using the default password"

Not the wisest bunch to freely admit breaking the law. Breaking in to prove a point is still breaking in. I don't people going around and seeing if they can smash your back house door down to see if it's possible for them to gain access to your house.

[Orange Battery]

I loved the little scenario at the beginning. I don't have an iPhone but it made me feel like I was part of a common situation. A cool friend may try to encourage me to smoke/Use drugs/ jail break, without letting me know the true cost of my decision.

I sure know what Im going to do now. :)

[alexalex]

"we did an experiment in a small airport in Europe"

"We tried to hack into them using the default password"

Not the wisest bunch to freely admit breaking the law. Breaking in to prove a point is still breaking in. I don't people going around and seeing if they can smash your back house door down to see if it's possible for them to gain access to your house.

They didn't break the law. Scanning networks isn't against the law. Finding SHH on a network isn't against the law. Breaking into a device , which they didn't do, is against the law.

I never agree with how they tell people what tools they need to download to this hacking, its not very responsible as you'll get any lame script kiddy downloading.

When you root your android device I wonder i do you also change the root password?

These tools are free to download from iTunes and have their purpose for personal usage. Like any tool, they can be used for good or bad purposes.

[Dashel]

Interesting experiment.

[n_K]

They didn't break the law. Scanning networks isn't against the law. Finding SHH on a network isn't against the law. Breaking into a device , which they didn't do, is against the law.

They attempted to login, again I don't know european laws so it'd depend on where they tested it, but in the UK it is ILLEGAL to even ATTEMPT logging in without permission. I'd imagine most of europe has the same kind of laws.

[Biohead]

First thing I do after jailbreaking is install OpenSSH via cydia.

Second thing I do after jailbreaking is SSH in and issue the passwd command to change the password.

No doubt I'm in the minority of jailbreakers as I know a lot of people that have jailbroken and to be fair I'm surprised they got that far themselves.

[Growled Member]

Just goes to show you that people should not be jailbreaking if they don't know what they are doing, which is most people.

[downhillrider]

Sounds like an article trying to scare ppl. Perhaps written by a certain employee from a company based in Cupertino.

[PurpleHaze420]

Anyone with any sense automatically changes the root password. Shrug. Nothing new here.

[Hell-In-A-Handbasket]

If people actually read the Jailbreaking info, it says to change the SSH password, or disable it, and gives instructions on how to.

Same with pretty much anything, like you said its result of human factor. Can't build a better thing, cause there will always be a better idiot

[Wannes]

If people actually read the Jailbreaking info, it says to change the SSH password, or disable it, and gives instructions on how to.

Same with pretty much anything, like you said its result of human factor. Can't build a better thing, cause there will always be a better idiot

Indeed and it always advices to turn SSH off after using it.