[iampivot]

How many people remember to change the root password on their iphone after unlocking it and installing sshd in the process? 50%? 10%?

Imagine how many use their phone on public open wireless networks, without any firewall between their phone and the internet. It must only be a question about time before the first iphone viruses appear..

[Peter]

how would they know the iPhone IP address?

[iampivot]

They don't. They just scan ip ranges. This happens today with any SSH server on the internet. Most server receive a dosen requests every second with attempted logins using usernames and passwords from dictionaries. That's why there is software like DenyHosts (Welcome to DenyHosts)

[Earth Mk. II]

bigger question: Why is there a root login at all?

[iampivot]

The _login_ is not there by default. If you mean a root _account_, then that's because it's UNIX.

[Earth Mk. II]

No, I mean login. It is the default policy on Mac OS X that root login is completely disabled, and the only way to escalate to root privileges is through a program suid 0, such as sudo. No password for the root account exists, and all root login is locked out (remote, local, and via su).

This is substantially different from the iPhone, where there is a (trivial) default root password. No mechanism for login may exist in the default configuration; however, there is no protection against root console access, either.

[Tomchu]

Since everything on the iPhone runs as root, no, there wouldn't be protection against root console access.

[Peter]

Originally Posted by iampivot 

They don't. They just scan ip ranges. This happens today with any SSH server on the internet. Most server receive a dosen requests every second with attempted logins using usernames and passwords from dictionaries. That's why there is software like DenyHosts (Welcome to DenyHosts)

So they'd have to scan *entire* IP ranges, and for each one try to SSH in and try the appropriate password?