TL:DNR summary

Change your iPhone’s  root and mobile account passwords immediately after installing OpenSSH! In fact, ideally do so using MobileTerminal before installing OpenSSH.

Long version

So I’m pretty embarrassed. I found out in December (by complete chance) that my iPhone 3GS was infected with the Ikee worm, and had been ever since July 7th 2011 (5 months!). I happened to be browsing the phone’s crashlogs (at /System/) and noticed recent and repeated crashes by a process named poc-bbot. “A filename containing ‘poc’ and ‘bot’? Gotta be fishy” I thought. And Google very quickly confirmed my fears; poc-bbot is the main binary of Ikee.A, .B and .C.

Now I’ve never seen the gurning fizzog of Mr. Astley as my lockscreen background, so evidently the virus never managed to deploy it’s payload. My hypothesis is that it was written when iOS3 was current, and changes in iOS4 rendered it ineffective.

The good news is that removal is quite trivial, and the only cost to me appears to have been poor battery life for the last 5 months. But how did it get in? I consider myself pretty diligent regarding security. Well, this worm operates by scanning IP address ranges looking for iPhones and, when one is found, attempting to log in via SSH using the default root password, alpine.

If your phone is not jailbroken you won’t even have an SSH server installed, let alone running so the worm only affects jailbroken phones. Checking datestamps of various files shows that I jailbroke my phone on July 6th 2011 and installed OpenSSH, then the following day changed the passwords for the two accounts. Evidently then I was infected in this 12 hour-or-so window between installing the SSH server and changing the default password.

Now why didn’t I change the passwords first you ask? Well, there is but one app for iPhone that provides a local terminal window – MobileTerminal – and for reasons unclear the version available in one of the default Cydia repositories does not run on iOS  and higher. Consequently at the time I thought that it was no longer supported and I was SOL. The only other way to change the password was to log in via SSH using the default password, then change it immediately; this was the route I chose but I was foolish not to do so immediately after installing OpenSSH.

Moral of the story? Either isolate the phone from the internet before starting up OpenSSH, or try harder to get MobileTerminal installed!