The ‘Duh worm’ exploit as reported by the bbc, affects only jailbroken iphones with openSSH installed, and installs software which spreads to other iphones, monitoring smses and details entered whilst banking online. While presently only affecting iphone users in the Netherlands, it seems likely that a version could easily be tailored to any phone network.
The exploit spreads because all iphones normally use the same root password- ‘alpine’, and while this is not normally a problem as there is no way to log into an unmodified iphone from a console, when openSSH is installed from the jailbroken appstore ‘cydia’, it allows full control of the phone through this open door.
However, openSSH is not a standard feature installed when jailbreaking an iphone. Cydia users have to choose to install it, it is made very clear that its only purpose is to allow network login to the device, and moreover, the installer page instracts the user to change passwords immediately. Considering the type of user who uses iphone openSSH, (me for example) this instruction is very likely to be followed.
What is interesting is the way this was reported by reuters, and by many other online news sites such as The Irish Times.
“The vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably,” said Apple spokeswoman Natalie Harrison.”
“The only iPhones that are vulnerable to the Duh Worm are “jail broken” phones, where users disable key Apple security features to get around the terms of usage agreement that they are designed to enforce, analysts said.”
Mainstream reporting of the flaw glosses over the need to install openSSH and repeats the uninformative “key Apple security features” line. Is it just me, or do these ‘analysts’ work for apple, who have a clear interest in enforcing iphone carrier agreements for as long as they can?
