Network News

X My Profile
View More Activity

First iPhone worm targets modified handsets

The first known computer worm written for Apple's iPhone currently is infecting iPhones in Australia, swapping out the device's background image with that of 80s singer Rick Astley.

The contagion, dubbed "Ikee," spreads only among iPhones that have been "jailbroken," a process that removes the device's software protection mechanisms and allows iPhone users to install applications that are not available through Apple's official App Store.


Ikee spreads not through any vulnerability exactly, but by exploiting a feature that many users of jailbroken iPhones likely never took the time to understand or read about. Most of the software packages that users install in order to jailbreak their iPhones come with a service known as Secure Shell (SSH). This service allows the devices to be accessed remotely over the Internet with a special password. The trouble is that the most common jailbreaking software installs SSH using a default password. As a result, users who jailbroke their iPhone but never changed the default password are vulnerable to being "Rickrolled" by this worm, or worse.

Although Ikee is relatively harmless, experts say the payload in this attack could have been a great deal more dangerous and invasive. Also, while the current versions of Ikee only scan for victims on specific 3G wireless networks in Australia, future iterations may be reconfigured to attack jailbroken iPhones on networks in the United States and other countries.

"The creator of the worm has released full source code of the four existing variants of this worm," wrote Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure Corp (image above courtesy F-Secure). "This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed."

F-Secure notes that Ikee disables the SSH service on infected iPhones, thereby preventing reinfection. The company has posted instructions for changing the default password on jailbroken iPhones, available here.

Graham Cluley, a senior technology consultant at security firm Sophos, said it probably won't be long until other iPhone worm writers jump on the bandwagon.

"My prediction is that we may see more attacks like this in the future," Cluley said, noting that just last week a Dutch hacker used the same iPhone feature to send alerts to affected users of jailbroken iPhones, offering instructions for securing the devices in exchange for a €5 payment to a PayPal account that the hacker controlled.

By Brian Krebs  |  November 9, 2009; 12:09 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: ikee, iphone worm  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Poking at Google's new privacy Dashboard
Next: Nastygram: MySpace phish plants spy software


Do you mean that those semi-useless toys made in Asian countries or elsewhere to protect us from muggers are in fact useless toys because of one password? Surprise, surprise!

Posted by: n7uno | November 9, 2009 2:48 AM | Report abuse

Your headline is misleading. An iPhone is not an iPhone without the Apple OS. Anyone glancing over the headlines, would think an unbricked iPhone could get this worm.

Posted by: klera | November 9, 2009 9:53 AM | Report abuse

klera, what would you then call an iPhone that's been hacked?

Posted by: Section506 | November 9, 2009 10:48 AM | Report abuse

Once you crack your phone, you're on your own - at least from a security perspective. When you walk away from Apple's walled garden, you enter a much more dangerous territory - and need to take more responsibility for security.

We've seen this time and again - pirated versions of Windows have a much higher rate of infection than legit.

Sadly, the writer of this malware doesn't seem to appreciate he's done anything wrong:

I'll bet he tells a different story when the authorities catch up with him...

Michael Argast, Security Analyst, Sophos

Posted by: michaelargast | November 9, 2009 11:26 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company