Jailbreaking puts iPhone owners at risk

Pwn2own winner Charlie Miller says modified iPhones lack security defenses and are therefore easier to hijack

Jailbroken iPhones are much easier to hijack, a noted security researcher said today, and the proof is in the worm that has infected some Australian phones.

The worm, known as "ikee," has been billed as the first iPhone worm, a title that Charlie Miller, famous for hacking iPhones and Macs, said is accurate. "I'd say it was a worm," said Miller. "It spreads, and it executes remote code, so it's a worm." Miller also agreed that it was the first, saying that although he and others have crafted exploits that compromise the iPhone, they have never been wrapped into a worm.

[ Looking for business-class iPhone apps? Start with InfoWorld's free, interactive iPhone app finder. It separates the wheat from the chaff and makes it easier to find iPhone apps for business and IT users. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Miller, formerly with the National Security Agency and now an analyst with Baltimore-based ISE (Independent Security Evaluators), was one of three researchers who uncovered the first iPhone vulnerability in July 2007, just weeks after Apple debuted the smartphone. He's also known for successfully hacking Macs two years running at the annual "Pwn2own" contest, and is the co-author of The Mac Hacker's Handbook .

The ikee worm was released last Wednesday by Ashley Towns, a 21-year-old unemployed programmer from Wollogong, Australia, who told the IDG News Service that he intended it as a prank, and as a lesson to users who jailbroke their iPhones.

Miller, however, said that the lesson is more than the one Towns maintained: That users should change the default password of the SSH (secure shell) Unix utility. Towns' worm accessed others' iPhones using that default password, then changed their devices' wallpaper. SSH lets users connect to their iPhone remotely over the Internet over a encrypted channel.

"A year ago, I didn't think that jailbroken iPhones were less secure than those that weren't jailbroken," said Miller. "But I've changed my mind."

By jailbreaking an iPhone -- the term describes the process of modifying a device so its owner can download and install unauthorized software -- people leave themselves open to attacks that an unaltered iPhone would easily deflect, said Miller.

"The obvious reason why they're less secure is that you get extra software on the iPhone when you jailbreak," noted Miller, referring to the tools necessary to both hack the smartphone and install applications not approved by Apple. "But there are other, less-obvious reasons, too."

Among the latter is the fact that by design, a jailbroken iPhone allows software to run as "root," the Unix-based user account allowed to access the entire operating system. That gives hackers automatic access to everything on the iPhone, something not possible on a standard iPhone without an existing vulnerability and a working exploit.

"Jailbroken iPhones don't obey the security model of the iPhone," Miller said. "The whole point [of jailbreaking] is to break the security model."