So, what is this attack vector? It turns out that it runs only on jailbroken phones, and exploits a root password that is apparently left in a known state by at least certain jailbreak kits. To attack an iPhone with this technique, therefore, one must:
- Find an iPhone that has been "jailbroken" – prepared by the phone's user in advance of the attack in order to allow applications not approved by Apple to run on the phone;
- Discover that (a) the particular jailbreak technique used by the specific victim in advance of the attack involved permanently enabling an OpenSSH server, a tool for remotely accessing Unix machines for a command-line interface (note that the fact that OpenSSH can be run on phones isn't itself a security problem – OpenSSH is designed for secure remote access, so the rest of the idiocies decribed herein are absolutely essential to the attack's success); (b) the intended victim's OpenSSH server is configured to allow login by the user "root" (the administrative or "super" user, whose user ID is "0"; even if typical users did need their phones to offer a remote shell access -- and they manifastly don't -- why can't the jailbreak kit vendors at least script for the use of low-privileged users?), and (c) the password of the enabled root account is already known to the attacker (and I stress here that it is well publicized to OpenSSH users that OpenSSH is easily configured to prohibit login by the user "root", making this whole scenario impossible if only one cares a little about what one is doing, even if one wants for some reason to leave an OpenSSH server running on a phone), because the user's jailbreak kit made no effort to induce users to employ a hard-to-guess password and simply left every affected phone with the exact same, easily learnable, password for root;
- login as root and execute any application one wants, including file transfer applications and applications that try to replicate this attack on other machines in the hope the other machine is a jailbroken iPhone with a braindead root password.
Purveyors of jailbreak kits have at least as much blame to bear. Why on Earth need jailbreak kits fail to demand users enter a strong password, or else refuse to proceed? In fact, why on Earth bother to leave an OpenSSH server running at all on a phone? Getting a remote shell on another machine doesn't require one run the server, just the client -- and who interacts with their own iPhone via a command line interface?
Lastly, we wonder why it is that Apple gets blamed for these shennanigans. Perhaps the certainty that Apple would be blamed despite fault explains Apple's decision to create a system that makes worms impossible unless users dismantled it on purpose.