iOS WiFi default hotspot password can be cracked in under a minute


Plenty of us use the WiFi hotspot capabilities of our smartphones on a daily basis, helping us get online with laptops, gaming systems, or other devices without their own cellular radios. Like setting up any WiFi network, part of using hotspots involves setting up a password, keeping your little impromptu network secure. Unfortunately, it seems that the default password generation behavior in iOS has some serious flaws, and as currently implemented in iOS 6 (presumably, this is still an issue with the 7 beta), creates passwords that can be cracked in about 50 seconds.

Normally, iOS suggests a hotspot password consisting of a word followed by a four digit number. On its own, that’s not a particularly robust way to choose passwords, but at least it would take a while for an attacker to try guessing every possible combination.

The problem is how Apple chooses those words. Security researches looking into the scheme have discovered that Apple’s only pulling from a base dictionary of 1,842 words. Even with those, the distribution is all messed up, and some are far more likely to be selected for a password than others (see chart below).

As a result, all an attacker needs to run is those 1,842 words, along with the 10,000 variations you get from the four-digit number appended, and he’s going to find your password. That still may sound like a lot of cracking to do, but with modern hardware, those 18.5 million combinations only take 50 seconds or so. And that’s with only four GPUs doing the number crunching – scale the hardware up, and even less time will be needed. Just moving to a better GPU knocked it down to 24 seconds.

Beyond someone using this to steal bandwidth from your phone, it’s also possible it could be used to stage a man-in-the-middle attack against data being sent between your phone and laptop.

How do you avoid being a victim? Easy. Just don’t use Apple’s default password suggestion, and choose a stronger one of your own.

wifi-chartSource: Andreas Kurtz, Felix Freiling, Daniel Metz (PDF)
Via: GigaOM

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!