iPhone and iPad users who use their iOS device to share a 3G/4G connection are being advised to change the default Mobile Hotspot password, after researchers showed it was possible to crack them in under sixty seconds. Apple supplies mobile hotspot users with a preconfigured password when they enable the feature, but the default is generated from a limited number of dictionary words, researchers at the University of Erlangen in Germany discovered. With some GPU-accelerated brute-force shuffling, the team managed to break into any iOS hotspot using the default password within 50s.
Key to the security loophole is the method by which Apple generates the pre-configured codes. The company begins with a list of around 52,500 4-6 character words (which were apparently shared with an open-source Scrabble crossword game), the paper, Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots [pdf link] says. iOS then appends a four digit, randomly created number to the word.
By intercepting the WiFi handshake, and trying a brute-force attack where all possible combinations were tried in short order, the researchers were able to come up with any potential password based on those conditions. However, it took them around 49 minutes to do so.
Further exploration, though, revealed that though Apple has 52,500 words to choose between, iOS only in fact picks from 1,842 of the options on the list. Based on that assumption, the researchers could trim their attack by more than 96-percent, and – by also using a faster brute-force setup – cut down the hack time to less than a minute. Interestingly, iOS seems to prefer “suave”, “subbed”, and “headed” for its word of choice.
The exact speed of the crack is very much dependent on what processing power you have available at the time. To achieve the sub-50s rate, the researchers needed to call upon the combined power of four AMD Radeon HD 7970 GPUs: that’s not likely to be something your average hacker in a coffee shop will be carrying.
Nonetheless, the team suggests that all iOS users should change the default password iOS suggests to one of their own alternatives. As for rival platforms, brief analysis of Windows Phone 8 indicates Microsoft only uses a randomly generated 8-digit number, and thus could also be susceptible to cracks.
Android security, though, is at the mercy of manufacturers. While the researchers discovered that Google’s official build comes up with highly secure passwords, based on Java’s UUIDs, they also found that some OEMs change the default to something more straightforward (such as “1234567890” on HTC phones) and thus introduce potentially exploitable flaws.