New Worm Gives Jailbroken iPhones the Ol' Rickroll

Although it apparently causes no actual harm besides a trivial annoyance, a worm that hits jailbroken iPhones has security researches worried.

The so-called Ikee worm was discovered by security researchers recently. It installs a picture of pop singer Rick Astley and displays the message "Ikee is never going to give you up" on victims' iPhones. The concept is based a widespread Internet prank known as "Rickrolling."

However, the worm prevents further reinfection by shutting down the vulnerability it exploited.

How the Worm Works

The Ikee worm exploits the SSH, or secure shell, protocol on jailbroken iPhones. SSH is a network protocol that lets two networked devices exchange data using a secure channel. It is primarily used on Linux- and Unix-based systems to access shell accounts.

"The problem is, iPhone users don't think of their devices as being Unix computers," Chester Wisniewski, a senior security adviser at security company Sophos, told MacNewsWorld. "But that's just what it is."

The worm searches for vulnerable iPhones by scanning a handful of IP ranges, most of which are in Australia, Mikko Hypponen, a researcher at security software vendor F-Secure, said on the company's Web site. It attacks jailbroken iPhones whose users have not changed their default root login password.

The worm will not affect iPhones that have not been jailbroken. "Apple has a locked system with whitelisting so this type of vulnerability will only affect jailbroken iPhones," Sean Sullivan, a security adviser at security vendor F-Secure, told MacNewsWorld.

The attack is a variation on a prank known as "Rickrolling." Originally, users in an online discussion were provided a link claiming to take them to a video relevant to the topic but which actually took them to the music video for the 1987 Rick Astley song "Never Gonna Give You Up" instead.

Opening Up Pandora's Box

Sophos identified the author of Ikee as 21-year-old Australian student Ashley Towns, according to senior researcher Graham Cluley's blog. Towns goes by the online handle of "ikex."

His phone had infected 100 others, and he had no idea how fast the worm is spreading, Towns reportedly told interviewers. There are four variants of the Ikee worm, and Towns has posted the full source code of all four existing on the Web. This could lead to a lot of trouble.

"The worm could be used for just about anything," warned Sophos's Wisniewski. "It could send spam, make phone calls, send SMS, or listen to your conversations, for example."

The iPhone's increasing penetration of corporate America may also be cause for concern, Sophos's Wisniewski warned. That's because most enterprises don't centrally manage their iPhones, as these often are purchased by users and then used in corporate business, he explained. "People treat their iPhones very much as a personal device, even if they're using them for corporate purposes," Wisniewski said. "One third of the people I know have jailbroken iPhones."

The Jailbreaking Danger

The Ikee worm may be at least the second exploit using SSH in which the hacker has warned victims that their iPhones are vulnerable. Last week, a Dutch hacker broke into jailbroken iPhones and displayed a message saying their devices were insecure and demanding a ransom of five Euros, according to Sophos.

The Dutch hacker also exploited the SSH vulnerability in jailbroken iPhones, F-Secure's Sullivan said.

Just about all owners of jailbroken iPhones are at risk. "Advanced users install SSH so they can log into their iPhones remotely, but if you install an iTunes App Store app on your iPhone that uses the password table you can also get infected," Jay Freeman, a consultant, told MacNewsWorld. Freeman, also known as "Saurik," is the founder of Cydia, which offers apps for jailbroken iPhones.

Users who have jailbroken their iPhone or iPod touch and installed SSH must change the root user password to something different than the default, which is "alpine," according to Sophos' Cluley.

Just a Tarnished White Knight?

About 75 percent of the hundreds respondents to an informal Web poll conducted by Cluley said Towns was actually doing iPhone users a favor by raising awareness of poor security. "I was shocked," Clulely told MacNewsWorld.

Still, those who approve of Towns' action may have a point. After Ikee infects a phone, it disables the SSH service, preventing reinfection. Towns criticized users for not reading their manuals when he posted the source code to his exploit on the Web.

On the other hand, the worm does suck up user bandwidth, and it is likely going to keep on spreading.

"Now the jailbroken iPhone has proved the concept, it might not be long before a zero-day vulnerability may show up on the iPhone," F-Secure's Sullivan said.