A new virus that targets jailbroken iPhones has been identified that changes the gadget’s password in order to steal personal details including text messages, contacts and e-mails.
The virus comes just weeks after a Sydney TAFE student received global media attention after he released a piece of malicious software designed to highlight the gadget’s vulnerabilities.
The new virus will only target jailbroken iPhones, a term used to identify phones that have been cracked open by their users to access internal file system in order to install unapproved applications.
It is also designed to search for users on the Optus network, along with users on the UPC network in the Netherlands.
The virus was identified by software security firm Sophos, which has named it “Duh” after a title identified in the software’s own source code. The company has warned jailbroken iPhone users to secure their devices.
The firm wrote in a blog post the virus originated in The Netherlands, and adds infected phones to a network known as a “botnet” that can be remotely controlled by hackers.
While the virus has apparently not yet been activated, infected phones are at risk of being used by hackers in order to gain private information, such as bank details, and use the phone’s broadband – possibly sending some user’s charges sky high.
“It does not appear that iPhones are able to report back any sort of status information, so there is no way to securely use them in an enterprise environment. If an infected phone is also connected to your MS Exchange, WiFi, or VPN environment, all of your confidential data could be at risk,” the company said.
Additionally, the virus changes the phone’s “SSH” password, preventing users from accessing the internal file system. But Paul Ducklin, head of technology at Sophos’s Sydney office, says he has discovered a fix.
“I can tell you that the new password is: “ohshit”,” he wrote on his company blog. “So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password ‘alpine’ but which is now inaccessible, try “ohshit” as your root password. If you get in, you are almost certainly infected with the Duh virus.”
“Don’t have an “ohshit” moment. Don’t give jailbreaking a bad reputation. Change those passwords now.”
This virus comes after TAFE student Ashley Towns released his own virus a few weeks ago, saying he attempted to show users the vulnerabilities of “jailbreaking” the gadget’s software.
Patrick Stafford is a freelance journalist and a former deputy editor of SmartCompany.
Comments