When it comes to Apple’s iOS-generated hotspot passwords, they might not be as secure as you might think. Researchers at the University of Erlangen in Germany have discovered a flaw in these automatically generated, and seemingly random, passwords used in Apple’s iOS hotspots that can make then vulnerable in under sixty seconds.
When using an iOS device as a personal hotspot, users have the option to choose their own password to make their device more secure, but before that Apple supplies its own random password. The password is randomly generated so that if you don’t change it to your own choice of password, the default will still protect your phone from those attempting to access it.
The researchers in Germany, however, discovered that the method in which the passwords are generated actually leaves them vulnerable to attack. According to their research, the passwords are made up of a combination of a short dictionary words followed by a series of random numbers, which allows each password to be different but easy for an attacker to figure out since there is a limited list of words that are used to create the random password.
The researchers explained, “This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unof?cial Scrabble word list within of?ine dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.”
And of those 52,500 words, they found that not even all the entries were being used, only a small subset of 1,842 different words were considered. Basically, “any default password used within an arbitrary iOS mobile hotspot is based on one of these 1,842 different words.”
This, along with more advanced cracking hardware, let the researchers crack any iOS hotspot with an OS-generated password within 50 seconds. Although this kind of hardware is out of reach of most users, they said similar tools are easily accessed through today’s cloud computing technologies.
So long story short, don’t use default passwords. Set your own, slacker.
Image Credit: Redmond Pie