2

If my iPhone was jailbroken and I plugged it into a computer controlled by the hacker, unlocked the phone, and clicked "trust this computer" to share photos with it, would it be realistic for a typical script kiddie to hack into my iPhone or is that something only a more sophisticated hacker would be capable of?

EDIT: "Script kiddie" defined as someone who doesn't understand that you can't use a rootkit on a Bitlocker protected computer without being detected.

genealogyxie
  • 431
  • 3
  • 13
  • 3
    Why are you asking this? I smell an [X-Y problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) (it also makes your question broad, speculative and maybe opninion-based, so you risk it getting closed). –  Jun 28 '16 at 15:11
  • 2
    If you have ssh enabled on your jail broken iPhone and never changed the root password, it would be trivial to do. Like the other commenters, I will need you to define what you mean by script kiddie. Most script kiddies depend on stuff written by other people to do the heavy lifting. – Richie086 Jun 28 '16 at 17:39

2 Answers2

9

A key point of definition of 'script kiddie' is that they can run scripts but don't necessarily understand how or why the scripts work.

So yes, absolutely. If you have a vulnerability on your phone, your attacker can run an exploit that will gain access. They may not know how it works; they may just try a bunch of exploits hoping one will succeed.

There is very little any more that is only breakable by a "sophisticated hacker" because they sell packaged exploits to unsophisticated attackers.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    How is this specific to jailbroken phones? IMHO your answer applies to any systems, and in particular poorly updated ones (whether it is owner's, carrier's or provider's fault), not specifically "jailbroken" ones. – WhiteWinterWolf Jun 29 '16 at 09:39
  • 3
    Exactly right Wolf! It does apply to any systems. That's the point. – Rory Alsop Jun 29 '16 at 09:44
  • This is a good response, but I'd improve it a little bit. A vulnerability would have to be remotely accessible, say an exposed service listening on `0.0.0.0/0`, or client-side, meaning the exploit would need a client to visit a certain page/server/whatever, and then execute the exploit in their client. If the vulnerability existed only client-side, and you never visited with the client, fat chance of that happening. Likewise, if the exploit requires remote access, but you shut down only remote access, there's no chance of that being exploited except during local privilege escalation. – Mark Buffalo Dec 13 '17 at 03:24
0

Is it realistic? Let's go beyond "plugged in to a computer."

This depends on a several factors:

  1. Are you running unpatched software? Seriously?
  2. Is there a remotely-accessible service running on a specific port that's exposed to 0.0.0.0/0, or any IP range that would also include the attacker's IP?
  3. Is it client-side, which would require an attacker to send you a URL, or get you to connect with Client X to Server A to execute the payload in your client?

  4. Is there publicly-available exploit code, such as a metasploit module, or something they can find on sites such as exploit-db, or are they able to buy some cheap (haha) exploits on the dark net?

    use exploit/osx/remote/script_kiddie_module_cve2018-1337

    set RHOSTS 192.168.13.37 [assume this is your IP]

    run

    HAHAHAHAHAHA I'M HACKING THE INTERNET

  5. Do you have some kind of service misconfiguration you've set up that that allows remote access with anonymous, default or weak credentials to ftp, ssh, telnet, etc?

Answer the questions above

  • If your answer is yes to 1, 2, and 4, then yes, they can very easily do that.

  • If your answer is yes to to 1, 3, and 4, then yes, they can do that provided you connect to their Client-side-exploiting service/server/whatever.

  • If your answer is yes to 5, then yes, but it depends.

    • If you're running an FTP server with default/weak/anonymous credentials, and a WWW server on your iPhone (why the hell would you do that? You've jailbroken, so none of this would surprise me), then they could get a privileged or low-privileged shell access to your iPhone. If it's privileged (again, why would you run any of this as root/etc?), then very easily. If it's not, then they would need a local privilege escalation exploit of some kind in order to get access.
    • If you're running an ssh or telnet service with default/easy root/admin credentials, prepare your diddly ports.

It's very realistic, so you should start auditing your stuff.

Connect your iPhone to the home network via WiFi, and use nmap on another system and see what ports are open on your phone. See what's being exposed via TCP and UDP (-sU), and see if there exploits available for the detected services.

Remember, when you connect your phone to any network, an attacker squatting on said network can scan and perform attacks against your devices. This could be airport WiFi, restaurant WiFi, your home network, or even the entire internet if you're not behind some form of NAT.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91