Sunday, November 15, 2009

iWorm - a truly social virus

The iPhone worm is a thing of beauty. Not so much because of the technology involved, which is simple - although, since when has simplicity not been a good thing? - but because of the superb social engineering involved. Its designers demonstrated a perfect understanding of their target user population and came up with an elegant exploit of their psychology.

To recap: an iPhone, underneath the shiny stuff, is basically a little BSD Unix machine. Apple applies a lot of its own security and restrictions-management stuff to it, but this can be circumvented if you want to use software without getting Apple's approval for it - this is the process known as "jailbreaking". One of the most common things people do with the gadget after removing the Apple restrictionware is to install SSH, so they can log into a remote server and administer it from the phone.

Unfortunately, installing SSH also makes it possible to log into the phone from a remote machine, if you know the root password and the current IP address. So, before you do this, you absolutely must change the root password from the default ("alpine") to a strong passphrase. Otherwise, as soon as SSH is available, anyone on the Internet can get access to the phone with root-level privileges - i.e. they can do anything they like.

The worm generated random IP addresses and tried to log in through SSH using the default iPhone password, and if it succeeded, it replaced the home screen with a picture of Rick Astley. Haha. They could also have made hundreds of hours of international phone calls on your bill, scarfed your bank details, grabbed the log of who you called and who called you and carried out some sort of evil social-graph analysis...but they didn't. For now.

What gets me about this is that they obviously had an image in mind of the target user as someone who was clueful enough to install unofficial software on an iPhone, or who at least wanted badly enough to be seen as technically competent that they got someone else to do it, but who was sufficiently incompetent not to realise that they needed to set a real password or that they were connecting a full-blown unix box to the Internet without any security precautions whatsoever. (Given that having a server to ssh into implies you know that you can log into remote machines over the Internet if you know the password, I wonder how many of the victims had actually used the SSH client on the phone?)

As well as a practical implementation of the Dunning-Kruger effect, it's a genuinely social hack in that it identified and targeted a specific social group - annoying moneyed wannabe-geek hipster prats. It was a wanker-seeking missile. It is sheer brilliance, and I'm not at all surprised it was invented by Australians.

Update: As pointed out in comments, why would you need the daemon half of the ssh package? Apparently, some of the jailbreaking methods use it. The virus's creator specifically mentions the fact that so many iPhones had an active ssh service when he tested the scanning element of it in the comments to the source code of the virus.


Unknown said...

The group of hipsters (that is, people who annoy you) might well intersect with the group of owners of jailbroken but unsecured iPhones, but I'm not sure that coming up with something like iWorm is therefore justified or, for that matter, the most effective way to spoil a hipster's day.

I'd tend to go with the worthy T. H. Huxley on this one: "The saying that a little knowledge is a dangerous thing is, to my mind, a very dangerous adage. If knowledge is real and genuine, I do not believe that it is other than a very valuable possession, however infinitesimal its quantity may be. Indeed, if a little knowledge is dangerous, where is the man who has so much as to be out of danger?"

And conclude that writing viruses etc. is just a scummy thing to do.

Sam Dodsworth said...

I'm confused. Why install sshd on your iphone when all you need is an ssh client? And if you do install it, why enable it?

Alex said...

well, this is the question, innit? didn’t make sense to me either, but then the exploit is crafted to find people who wouldn’t ask that question.

Apparently some of the canned jailbreak techniques amount to getting the ssh daemon onto the phone, logging in with the default pwd, and then doing everything else via ssh. if this is available as a script that you just upload to the thing and run, I can see why clueless users might get into trouble.

if you read the original article, someone quoted points out that current jailbreaks don’t use ssh, but then the target profile isn’t “system administrator who keeps everything obsessively up to date” is it?

@charlie: I do not approve of viruses. I am also tebbly concerned and fraffly serious. Can I laugh now?

kostenloser Counter