The ability to turn your iPhone into a Wi-Fi hotspot is a fantastically useful little tool in and of itself. When setting up a personal hotspot on their iPad or iPhone, users have the option of allowing iOS to automatically generate a password.
According to a new study by Researchers at the University of Erlangen in Germany, iOS-generated passwords use a very specific formula one which the experienced hacker can crack in less than a minute.
Using an iOS app written in Apple's own Xcode programming environment, the team set to work analyzing the words that Apple uses to generate its security keys. Apple's hotspot uses a standard WPA2-type process, which includes the creation and passing of pre-shared keys (PSK).
They found that the default passwords are made up of a combination of a short dictionary words followed by a series of random numbers and this method actually leaves them vulnerable to brute force attack.
The word list Apple uses contains approximately 52,500 entries. Initially it took almost 50 minutes to crack the password and they found that not even all the entries were being used, only a small subset of 1,842 different words were considered.
Part of their success was due to advancements in hacking hardware, they used a GPU cluster consisting of four AMD Radeon HD 7970s that let them finish each job within 50 seconds. Although this kind of hardware is out of reach of most users, they said similar tools are easily accessed through today's cloud computing technologies.
iPhone Hotspot Password Cracker app is available here,"This app assists in generating an iOS hotspot cracking word list, which might be used in subsequent attacks on other hotspot users. The app also gives explanations and hints on how to crack a captured WPA2 handshake using well-known password crackers. Future releases might also automate the process of capturing and cracking hotspot passwords. As computing power on smart devices is limited, one solution is to involve online password cracking services like CloudCracker, to crack hotspot passwords on-the-fly."
Cracking #iPhone Hotspot password in 50 Seconds | #Download > https://t.co/x9hHMfQD7T #Security #pentest | pic.twitter.com/3KVgA47wHA
— The Hacker News™ (@TheHackersNews) June 20, 2013
The reason iOS and other mobile platforms generate passwords automatically is to avoid having users set up hotspots without any encryption. But how do you avoid being a victim? Easy. Just don't use Apple's default password suggestion, and choose a stronger one of your own.