Andrew Jaquith

Much breathless prose has been written about the Ikee malware circulating amongst iPhone owners. Described as the first iPhone worm, Ikee does something fairly funny: it replaces the user’s lock screen with a picture of Rick Astley, of 1980s “Never Gonna Give You Up” fame. In other words, it RickRolls your phone. According to the author, the worm circulates by scanning the phone’s local IP address range for other iPhones running the SSH daemon, and if it finds any, attempts to log in using the default root password. It then copies a JPEG file of the sainted Mssr Astley to the location where the picture is stored.

Although Ikee is more of a crude hack than anything else, it presents no danger to most iPhone users. Only a small percentage of iPhone owners are at risk. To be at risk, the owner of the iPhone must have fulfilled three conditions. They must have:
  1. Jailbroken their phones
  2. Installed the SSH daemon (sshd)
  3. Left their root password unchanged from the default (“alpine”)
An iPhone owner who does not know anything about jailbreaking, or does not recognize the words Blackra1n, Blacksn0w, or Redsn0w, has nothing to fear. No jailbreak means no SSH, and hence no way to be remotely exploited.

But owners who have jailbroken their iPhones have more to worry about. As one affected owner, (user jokiin) put it: “I think there's a lot of blind faith put into jailbreaking phones and the majority of users really have no idea what compromises may take place as a result.” The simplest preventative remedy is not to install SSH. If it is installed, you should shell into the phone and change the default root password to something unique.

Ironically, business users who travel internationally are more likely to be at risk. Incentives to jailbreak exist because Apple and AT&T will not unlock iPhones to allow the use of prepaid or other third-party SIMs while traveling. Even original iPhone users who have fulfilled their 2-year contract cannot unlock their phones. This is despite AT&T’s earlier promise that it would “gladly” unlock phones when the initial contract was completed.

Many of the editorial articles written in the wake of Ikee are well-meaning but draw the wrong conclusions. Yes, the iPhone is more like a little computer rather than a toaster. Yes, user education is important. Yes, “nothing is completely secure.” We knew all these things already. But no, this particular little demonstration project is not the harbinger of some massive flood of mobile malware for the iPhone. Mobile security software, conveniently dispensed by various security software vendors eying new markets, is not suddenly a must-have. And no, this is not further proof that Apple needs a Secure Development Lifecycle that exactly resembles Microsoft’s.

The only conclusions I would draw are these: if you choose to jailbreak, know what you are getting into. Read as much as you can about what the process does to your phone, and what precautions you should take if you install software (like sshd) that increases your attack surface. If you don’t understand what it all means, stop. And to Apple and AT&T, I'd say this: you gotta make it easier to use iPhones legally overseas with prepaid SIMs, like nearly every other GSM phone. Your current SIM-locking policy creates perverse incentives that put users at risk.