Blog Post

The Worm Has Turned: iPhone Exploit Gets Nasty

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Last week the news about yet another non-belligerent iPhone worm did the rounds and people responded by saying things like “How silly jailbreaker’s are for not changing their SSH root passwords,” and “It’s only a matter of time until a worm appears that’s not so friendly…” OK, yes, geeky people said those things. Normals will likely never know that jailbreaking is something you can do to a phone.

Well, the predictions of gloom have proven true. Over the last few days, and reported by The Mac Observer, a new worm has been identified. This one, (so-far limited to iPhone owners in the Netherlands), takes advantage of the exact same SSH-exploit as the previous worm. Once on a user’s iPhone, it circumvents Mobile Safari’s anti-phishing technology to present a spoof of a popular banking website. Users are tricked into handing over their online banking authentication details. The worm spreads from iPhone to iPhone, but is limited to jailbroken handsets connected to the same Wi-Fi network.

Apple has weighed-in with its own sage wisdom and advice on the matter. Speaking to The Loop’s Jim Dalrymple, Apple spokesperson Natalie Harrison said:

The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software. As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.

If you live in the Netherlands and have jailbroken your iPhone and installed SSH, you need to change the default password to protect yourself from this particular exploit. Just don’t think you’ll be safe — Apple might keep the iPhone platform locked-down tight, but you can’t argue against the obvious security advantages of doing so. To date, there have been four confirmed worms “in the wild” on jailbroken iPhones. How many confirmed worms have appeared in the wild that affect non-jailbroken iPhones? There you have it.

The Real Question Is…

But the real question, as I see it, is this; who jailbreaks any more? I mean, really… who? Why? The single biggest reason people originally went to the trouble of jailbreaking their iPhones was due to frustration at the lack of native apps. (Back in the early days of iPhone ownership, and before the app store existed, only Apple’s own home-grown apps were locally installed on the device. Every third-party apps ran inside Mobile Safari and, therefore, required access to the Internet.) I did a lot of travel back then, usually by air and train, so I didn’t always have a reliable Internet connection; this rendered most of my web apps useless. That annoyed me, and I very nearly did the whole jailbreaking thing just so I could install applications locally that would work irrespective of an active Internet connection. (Ultimately I wussed-out, too afraid I’d permanently mess-up my precious — and expensive — iPhone.)

But that was then, and times have changed.. What other compelling reasons were there to void Apple’s iPhone warranty? MMS, video recording, exchange server support, multitasking and Copy & Paste were the “most missed” features. Today we have more apps than you can shake an iPhone at. We have MMS and video recording, exchange support and copy & paste.

The only thing missing is “true” multitasking, but for the vast majority of iPhone owners (for whom multitasking is another way of saying “I want instant messaging!”), Apple’s Push Notification Service does a decent job of balancing productive multitasking with preserving battery life.

So… why jailbreak? Is it a form of protest against Apple’s broken application approval process? Is it because you absolutely must replace the default icons with something far less classy? Perhaps you can’t live without tethering? Tell us in the comments the (few) remaining reasons for jailbreaking an iPhone.

Just please don’t say it’s for geek cred… I might cry!

52 Responses to “The Worm Has Turned: iPhone Exploit Gets Nasty”

  1. How about tethering?

    My phone is factory unlocked. I should be able to connect my laptop to the Internet like I always did with all of my previous Nokia phones. Can I? No, because some smart ass thinks that I can’t do what I want with my own factory unlocked device. I’m not breaching any contract, Vodafone lets me do it, I’m even paying for it.

    Now I’m back on 3.0.1 because is the last one that allows tethering without jailbreak.

  2. I truly love SBsettings which gives you a drop down menu accesible almost all the time, giving you access to the settings most frequently changed, brightness I find Im always adjusting. Also it gives you a list of currently running processes that works perfeclty well with ‘backgrounder’.

    An if that wasnt enough, then theres the pure magic of ultrasn0w.

  3. I Jailbroke my iPhone 3G for only one reason: A native Terminal application which can use my ssh-keys installed on it. Tethering would also be nice, but not necessary. Sadly, I’m not Jailbroken because it did not work with the latest release :-(

  4. I love this holier-than-thou attitude that non-jailbreakers are spewing. It reads as judgemental and arrogant as religious biggotry, yet somehow more pathetic.

    LIAM: Your choice of words here came off as condecending. “Is it because you absolutely must replace the default icons with something far less classy?”

    I appreciate that you drink the apple Kool-aid, but let’s have some perspective here. I haven’t used a theme in a long while, but I seem to recall some magnificently art-directed skins, many of which had more uniform (or “classy”) consistency across the UI. If you choose to define the open source community’s offerings by the least classy options, beware that the mirror reflects the same swill of rancid apps that make up the bottom 98% of the official “app store”.

    Cydia store offerings raise the bar for Apple in how they unify system functions, increase usability, and generally allow for a richer user experience. Now THAT’S classy.

    Final thought: App pirates are dirt, but so are an unfortunately high percentage of the apps that I’ve purchased from apple. I’m not without sympathy, but I’m not terribly sympathetic. Especially considering that the thieves are unlikely purchase candidates regardless.

    • Ooh, for the other jailbreakers out there that don’t use a theme – try using winterboard to simply disable icon labels.  Seriously, after a day or two, seeing the text-laden interface will make you cringe.  Knowing how minimalist Apple design can be, I imagine this will also become an adopted settings feature someday.

  5. I know some of you don’t want to hear it but the primary reason people jailbreak is to pirate software. Ask any developer, especially game developers, if pirating software on the iPhone is a problem. Again, there may be legitimate reasons to jailbreak but the majority of people jailbreak to steal software. Deny it if you want but it is true.

  6. blenderman345

    iJailbroke cuz I didn’t want to have a contract on my phone.
    And for video rec, and a buncha otha stuff.

    Listen, some people use Cracked apps and other piracy, but not all jailbreakers. I don’t cuz it’s illegal, and well, it’s jez kinda mean to the people that worked so hard to write it.

  7. I jailbreak my phone because I cannot justify paying an additional $30-40 each month for a data plan that I simply do not need. I still pay for a traditional AT&T plan WITH unlimited messaging.

    I purchased my phone legally second hand from another Apple-lover who had to have a new 3GS, so as far as I’m concerned, I am not a thief. I have paid for every aspect of this service.

    Is it wrong to ask for a cell phone with the beautiful and simple interface of the iPhone at a price less than $80 a month? According to AT&T yes, but that’s why I jailbreak.

  8. Nobody will not admit it but it’s for the free games they can pirate. Are people that cheap that they can’t fork over a couple of bucks to developers for good software?

  9. Your headline should read: “Only *JAILBROKEN* iphones get virus”.

    If you don’t illegally jailbreak your iphone… you will NEVER get this virus.

    Would you also print a headline that said “Ford Cars Blow Up When Started”?
    (Only to later find out that it’s only 1 model… 1 year… and only if the user illegal modified the car himself… and 0.0001% of them?)

    *VERY* misleading info.

    Why do so many of the articles here have VERY misleading headlines… and then buried
    deeply in the text… you’ll see that only jailbroken iphones are affected?

    • There’s nothing illegal about jailbreaking your phone. It is your phone, you can do with it as you wish. It might void your warranty, but that isn’t the same thing as being illegal.

    • that’s right. jailbreaking isn’t illegal and that is why apple is TRYING to make it illegal. what you’re saying is equivalent to saying you’ve purchased a car, it’s under your name, you’ve paid it off and decided to modify it by changing your rims and oh wow that’s totally illegal

    • Jailbreaking is not illegal. I own the device (I paid the full $600 retail after my subsidized one was lost) and I can do what I damn well please with it, and Apple isn’t going to tell me otherwise.

      Second, jailbreaking DOES NOT make your iPhone insecure. Installing shell access, and not changing the password from the default, is what makes it insecure. See the big difference?

    • @ Colin
      Second, jailbreaking DOES NOT make your iPhone insecure. Installing shell access, and not changing the password from the default, is what makes it insecure. See the big difference?

      The jailbreaking process allows running of unsigned applications and it most definitely makes your Iphone less secure. If you understand anything about security you should understand that opening up the OS to running of unsigned applications allows many other vectors of attack. Here is a paper done by Charlie Miller which highlighted some of the Leopard vulnerabilities. Guess what if I was writing malware for Iphone OS I would start with what works on OSX.

    • @pat s

      There are no jailbreak exploits in the wild that do not involve OpenSSH having the default password. Being able to install software is very different from a security vulnerability.

  10. The iPhone world would be markedly less robust without jailbroken phones. Apple originally did not want developers writing native device code and relegated everyone to web apps. It was the jailbreak explosion and subsequent software (via non-published API dumps, etc.) which helped push Apple in the direction we have today.

    Being able to run applications in the background is worth jail-breaking on its own. Would you run one application on your Mac? Every other major smartphone vendor allows multiple running apps. Not being able to run multiple apps severely limits the software which can even be conceived of for running on the iPhone. This limitation is hampering qualitative and quantitative software available and leaves the iPhone heavy on the game end and limited in the utility and business ends.

  11. norwegian reader

    I jailbreak my phone because og backgrounder. Beeing able to run spotify in the background is a must for me. The other stuff is nice just not important for me.

  12. Jailbroke to use T-Mobile: I’m using a much less expensive plan with a set amount of minutes and texts. (don’t talk on the phone all that much) And opted to save $25 a month for the time being by not getting their data plan. Plenty of wifi at work and home.

  13. There are plenty of reasons to still jailbreak:

    SBSettings toggles
    Lock-screen widgets
    Google Voice

    Here’s the thing… despite what you want to hype up, jailbreaking does NOT make your iPhone insecure. You know what makes it insecure? Installing SSH, which opens the phone to the world, and then leaving the root password as the default. You have to be really stupid to do this.

  14. I have a jailbroken phone because I also wanted it unlocked. Plus, as others have said before, Cydia gives you GV Mobile, Backgrounder, and SBSettings. Plus, I can skin my iPhone to look like whatever I want. I have OpenSSH, but I leave it turned off unless I need it- and when I use it, it’s always on my own home network with protection.

    Honestly, this worm can be so easily prevented. Change the password- it’s such a simple process. I think this is getting over-hyped a bit.

  15. AppleAddict

    I jailbroke originally for video recording, MMS, tethering, and customization of the screens and icons. I now have the 3GS and most of the original reasons are not relevant anymore but…I still love to customize my icons and screens with Winterboard. The original Apple icons and screen colors are just boring. I also love SBSettings, FontSwap, iProtect, and Categories. With the jailbreak process so easy nowadays, it’s a no-brainer, and your done in about 60 seconds. Also, it is always completely reversible if you later change your mind. You can always restore back to the original factory settings and no one can tell you ever had a jailbroken phone. It’s always worked for me with no problems. Love it!

  16. I jailbreak because:
    1. GV Mobile
    2. change font
    3. five icon dock
    4. five column springboard
    5. sbsettings
    6. customize sms bubbles
    7. adding weather info to status bar
    8. change ATT carrier logo
    9. unlock phone so i can use local sims when i travel abroad
    10. NES games
    11. notification icons on status bar for missed calls, unread emails, voicemails, unread sms, etc
    12. emoji

    Should I list more (by the way, everything I listed, I use. I wasn’t just listing for the sake of proving a point)? I’d say, if you’ve never jailbroken and don’t know what’s available, you’re probably perfectly content with having a stock phone. For someone like me who has been doing this since the original iPhone, it’s really hard to go even just one day without just one of the above.

  17. The main reason to jailbreak is since on this side of the Atlantic you can not buy unlocked iPhones (well, on ebay it is possible, but not as convenient as walking into a store) as you can in almost all parts of Europe. Yes, they do cost much more initially, but since I’m traveling all over Americas (Everywhere from Canada down to Argentina) buying a local SIM card from a local provider and using services like rebtel makes it much much cheaper then roaming.

  18. According to the latest states from Pinch Media (the iPhone analytics company) just under 10% of all iPhone users have jailbroken their phones. Thats an amazingly high percentage — can anyone think of another consumer device in which 10% of the users have essentially hacked it to increase functionality unofficially?

    I think this points to the fact that even now, in the era of the app store and the 3.0 software, there is a lot of frustration with how much Apple locks down the phone.

    FWIW, I jailbroke my phone for the same reason that I choose what software I run on my Mac — because it is MY computer and MY phone.

    • I would say that 10% includes a lot of units where the device was jail-broken to unlock the baseband rather then for the Applications. There were millions of Iphones jail-broken for grey market sales in countries not officially supported by Apple. The frustration with Apple and their store policies is probably in the noise level. Most folks are happy with what Apple delivers, a small vocal minority are trying to make things better which I applauded, but the average consumer probably doesn’t care.

  19. I used to jailbreak my iPhone but I don’t feel like I need to anymore. I used to so that I could unlock my O2 iPhone for Orange. Since Orange released the iPhone, I’d rather stay clear of anyone invading my iPhone in the near future.

  20. The main reason I jailbroke my phone was so I could change the SMS message received sound to whatever I wanted. I don’t know why Apple doesnt provide this functionality. I also bought an app from the Cydia store that allows me to respond to incoming SMS messages from wherever I am on the phone without having to quit what I am doing and launch SMS App.

    Both of these are nice features which enhance
    my phone. and the risk of jailbreaking is zero – assuming you are not an absolute idiot who leaves SSH turned on without setting your own passwords!

  21. I jailbreak. In fact, it’s the only thing that’s prevented me from breaking my contract and going to a different carrier. In my opinion, there are three programs that more than justify jailbreaking the phone:

    1) Backgrounder
    2) GV Mobile
    3) SBSettings

    These three apps enable features that the iPhone *should* allow in the app store or build in by default. (Actually, GVMobile was allowed, until Apple decided that Google Voice might compete with them turned into a bad caricature of Microsoft.)

  22. I live in India, and have an AT & T iPhone, which won’t work on my native Vodafone unless i’ve bought it from them (:P UGHHH, 6K more) or jailbroken and unlocked. Plus, there’s still the odd app Cydia helps you out where the 100,000 can’t.

    • That list was fine…until I got to the part where you advertise “cracked apps” as a reason to jailbreak. Piracy is wrong — it is stealing, and I am really disappointed that you would promote this. Most jailbreakers are NOT pirates, and pirates are the scum of jailbreaking community (and forget your lame disclaimer).

      There are dozens of super creative apps in the Cydia store that turn the iPhone from something cool into something absolutely incredible — they do things that Apple’s engineers are probably only barely thinking up for iPhone OS 4 or 5, and they are here today for jailbreakers who are willing to do the honest thing and pay a few bucks to encourage independent software development.

      With all this legitimate, legal “booty” around, telling people that they should use cracked apps from the Apple app store is not only wrong, it is just stupid.

  23. I have an 3G and when not jailbroken, I can’t make video’s. And I don’t have the cash to buy an 3GS. I also like the freedom I have to program my own little applications, with out paying Apple just $100,- so I can install my own. It’s not commercial stuff, just to make my own live easier.