|
|
The time-bomb of unlocked iphones..
|
|
|
|
Junior Member
Join Date: Sep 2005
Status:
Offline
|
|
How many people remember to change the root password on their iphone after unlocking it and installing sshd in the process? 50%? 10%?
Imagine how many use their phone on public open wireless networks, without any firewall between their phone and the internet. It must only be a question about time before the first iphone viruses appear..
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2002
Location: England | San Francisco
Status:
Offline
|
|
how would they know the iPhone IP address?
|
we don't have time to stop for gas
|
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Status:
Offline
|
|
They don't. They just scan ip ranges. This happens today with any SSH server on the internet. Most server receive a dosen requests every second with attempted logins using usernames and passwords from dictionaries. That's why there is software like DenyHosts ( Welcome to DenyHosts)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Washington, DC
Status:
Offline
|
|
bigger question: Why is there a root login at all?
|
/Earth\ Mk\.\ I{2}/
|
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Status:
Offline
|
|
The _login_ is not there by default. If you mean a root _account_, then that's because it's UNIX.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Washington, DC
Status:
Offline
|
|
No, I mean login. It is the default policy on Mac OS X that root login is completely disabled, and the only way to escalate to root privileges is through a program suid 0, such as sudo. No password for the root account exists, and all root login is locked out (remote, local, and via su).
This is substantially different from the iPhone, where there is a (trivial) default root password. No mechanism for login may exist in the default configuration; however, there is no protection against root console access, either.
|
/Earth\ Mk\.\ I{2}/
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2005
Status:
Offline
|
|
Since everything on the iPhone runs as root, no, there wouldn't be protection against root console access.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2002
Location: England | San Francisco
Status:
Offline
|
|
Originally Posted by iampivot
They don't. They just scan ip ranges. This happens today with any SSH server on the internet. Most server receive a dosen requests every second with attempted logins using usernames and passwords from dictionaries. That's why there is software like DenyHosts ( Welcome to DenyHosts)
So they'd have to scan *entire* IP ranges, and for each one try to SSH in and try the appropriate password?
|
we don't have time to stop for gas
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|