Security Measures After iPhone Jailbreak

This article in German language
Deutschsprachige Version dieses Artikels

STEP-BY-STEP GUIDES SUMMARY
on how to change SSH default passwords after jailbreak

  1. Don’t install OpenSSH *) (Cydia link for your information) after jailbreak unless you know exactly what you are doing
  2. If you can’t avoid SSH by all means follow urgently one of the step-by-step guides

Recommended guides

Other guides (the first two are illustrated)

  • Blog iClarified: How to Change the Root Password on Your iPhone
    The tutorial hoster iClarified is missing something: You also need to change the password for the ‘mobile’ account, or you’re still vulnerable!
  • Computer magazine Macworld: Secure your jailbroken iPhone with a password change—mind the update in the Macworld article!
  • Blog Extra Future: How To: Change Your iPhone’s Root Password
    You can change the iPhone SSH passwords also using a Mac or PC in the same WiFi network. Again missing user ‘mobile’ in this old tutorial by Extra Future, add that. However it’s highly recommended to change the passwords directly on the iPhone before activating OpenSSH (see “Five important hints” below)!

Further reading

Five important hints

  1. Note: If you mess up something or forget your new passwords, you’ll probably have to do a factory reset on your phone.

    2. SSH switch in 'SBSettings' on a jailbroken iPhone

  2. It is not enough when you disable SSH in SBSettings because it will activate from alone after a restart of the iPhone or on other occasions (p. e. a “respring” with the patched app SpringBoard) and you probably won’t recognize that. SBSettings (Cydia link) is a switchboard app available after jailbreak. Information at Wikipedia on SpringBoard.
  3. Most important! <paranoia mode ON> After the iPhone has already been on the net with the default passwords the phone could well have already gotten a nasty backdoor (Wiki) and rootkit (Wiki) installed, and is now 0wn3d by some botnet (Wiki). Changing the SSH passwords now does nothing to clean up that mess! Only way to clean up for sure is to reinstall a new OS using DFU mode (Device Firmware Update), and set up the device as new (iClarified: How to Put an iPhone Into DFU Mode). </paranoia mode OFF>  Wikipedia: Paranoia
  4. If you don’t need it any more—delete OpenSSH immediately via Cydia and restart the iPhone because most passwords are weak! **)
  5. Note: Any Apple iPhone operating system update or restore will set the passwords for both accounts “root” and “user” back to the well-known defaults “alpine” and “dottie”, respectively.

*) How to establish whether or not SSH Daemon is installed

  1. Open Terminal.app (on Mac OS X) or Mobile Terminal (on jailbroken iPhones; Cydia link)
  2. Type nothing but which sshd after the prompt ($), “sshd” means “secure shell daemon”
  3. Hit Return key
  4. Terminal will tell you in the next line something like “/usr/sbin/sshd” when SSH is installed, otherwise you’ll get an error message
  5. Quit Terminal by typing exit after the prompt and hit Return

Note that Mac OS X includes OpenSSH by default.

**) Recommended Password Assistant in Mac OS X (10.4 Tiger or newer)

Access with the Key icon

  1. Choose System Preferences… from the Apple menu
  2. Look for the headline System, click Accounts; then click the Password tab
  3. To access Password Assistant, click the Key icon you see when changing or adding a password to an user account (see note below)

The assistant can create the following types of passwords:

  • Memorable (the most useful and recommended)
  • Letters & Numbers
  • Numbers Only
  • Random
  • FIPS-181 Compliant (not recommended but better than nothing)

Mac OS X Password Assistant

A slider adjusts the length, and a bar graph shows the quality and security of your generated password. Security experts are saying that it’s not recommended to create a Password hint.

Additionally you’ll get some tips when your password is too weak.

Note: You actually don’t need to add or change an OS account if you just want a password generated by the Mac OS X Password Assistant; when you’ve got the password(s) close the assistant window with the hidden red x in the window’s title bar (top left) and hit Cancel in the untitled higher-ranking window (with the Key icon and Password hint text field). Close System Preferences. Nothing will be changed or added.

iPhone app '1Password Pro', Password Generator

For mobile devices there is a password generator available in the highly rated third-party app 1Password Pro (free until December 1st, 2009). App Store Link.

There are several web-based password generators in the net but be careful with that. Could be malicious. Recommended:

Gibson Research Corporation:
GRC’s Ultra High Security Password Generator

General tip

Avoid ambiguous characters like capital letter O and number 0, letters I, l, i, j, number 1 and special characters like | (alt+7), /, \, -, –, — and _, ‘, ` and ´, those can be easily confused when reading, writing and typing.

Abstract

At this stage of information iPhones with no jailbreak are safe to worm infestation. Jailbroken iPhones where OpenSSH is not installed are safe too, as well as those on which OpenSSH is installed, but the two passwords have been modified (see above) before these devices were connected to the internet (via Wi-Fi or cellular) or logged via Bluetooth (Wikipedia) to other online devices.

Last updated on December 19, 2009


Changes, errata, additions

1 December 2009, added:
“…and restart the iPhone” at “Five important hints”, Item 4

1 December 2009, added:
Last column: “Changes, errata, additions”

19 December 2009, added:
Screenshots, Abstract

Bookmark and Share

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Gravatar
WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Abbrechen

Verbinde mit %s