Room362.com

Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down.

If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of. But the media and Cydia/Rock warnings only put emphasis on ‘root’.

Many iPad and iPhone apps STILL do not use the “keyring'” and store your password in plain text or somewhere in a binary file (still plaintext), which the user “mobile” has access to.

Ok, “so what” you say. Since this recent jailbreak was using a website, the individuals running that site now have the IP address of freshly jailbroken iPhones and iPads. I am certainly not saying that they have any ill intentions, but sites have been broken into before, and that would be one hell of a gold mine.

Hopefully AT&T has put in blocks of some sort so that it’s customers are protected, but who knows what the other countries around the world that carry iPhones are doing.

But at the very least, if you have jailbroken your iPhone, iPod Touch or iPad, please.. please set your passwords accordingly and do not have it a simple dictionary password.

Remember, you ARE giving up some security when you jail break your phone. It is on you to make sure that you lock what you can back down.

To change your password, use 'Terminal' and log in to one account at a time and issue the "passwd" command. You can also just log in to root and issue the "passwd mobile" command to change the password of mobile

Update on Monday, August 9, 2010 at 3:34PM by Rob Fuller

I've gotten a lot of comments stating that OpenSSH isn't installed by default and that this is not a big deal at all. A couple problems exist in that argument though:

1. The Jailbreak is executing code on your phone/touch/ipad. Unless you do a analysis of the entire disk, you can't be sure the jailbreak doesn't leave some other way into the phone. Yes, that's a far fetched chance, but most users would never know.

2. Even if you don't install it Out-of-the-box. There is a good possibility that you will OpenSSH at a later date. Better to get it fixed while you have it on the mind.

 

I was recently approached by savant,  who told me that a bunch of my Twitpics had geo location in them. Larry Pesce from PaulDotCom has been doing research in this field for a while and each time he brings it up I casually checked a couple of my twitpics and came up empty handed.

But, he gave me exact references, so I went to Twitpic to check them out for myself.

I was surprised to see that Twitpic actually has an option to show all the “Places I’ve Been”:

Hopeful, I clicked:

Sweet! All of my images are clean right?

But, like I said, the individual gave specific references of images. So, I pointed trusty “Jeffrey’s Exif Viewer” at one of the images that they told me about and:

sure enough, it had location data in it.

At a recent NoVA Hackers meetup there was a presentation on Geo forensics on mobile phones that was really enlightening, but very depressing for iPhone users like myself. For us, you can either have Location Services (GPS) on, or off. In other words, if you wanted to take a picture without geo information, you would have to open your settings, go into general, switch location services to off.. then when you wanted to use Google Maps to find something you’d have to turn it back on.

Complaints of a lazy person, I know, but remembering to check, and / or going through those steps each time I wanted to find a place or take a picture was a bit beyond my tolerance level.

iPhone OS 4.0 to the rescue: (calling it iOS 4 is just confusing re:cisco)

One of the coolest new features is app based control of geo information. So go to Settings –> General –> Location Services and turn Camera (and any other app you take photos with) OFF.

PS: You probably don’t need those pics sitting on Twitpic after your Tweet has come and gone. Might as well delete them. ;-) Sorry guys, I hope you have local copies.