According to a group of German researchers who are claiming to be able to crack iOS Personal Hotspot keys in less than a minute, the default generated passwords that are currently protecting the mobile hotspot feature of Apple’s iPhones and iPads are weak and flawed. In a paper titled “Usability vs. Security: The Everlasting trade-Off in the Context of Apple iOS Mobile Hotspots,” researchers from the University of Erlangen demonstrate that iOS generates weak default passwords for its mobile hotspot feature and showed that the code was susceptible to brute force attacks on the WPA2 handshake.
The paper continues by sharing that iOS generates its default passwords based on a word list of roughly 52,500 entries, though iOS apparently relies on about 1,842 of those entries. Additionally, the process for selecting words from the list is insufficiently randomized. This leads to skewed distribution of words that go into default passwords and the skewed distribution apparently makes it easier to crack a device’s password.
Using a GPU cluster with four AMD Radeon HD 7970s, the researchers claimed a 100% success rate in cracking iOS-generated passwords. Over the course of the experiment, the researchers got the time to retrieve a password down to around 50 seconds. The paper noted that “access to a mobile hotspot also results in access to services running on a device.” It points to apps such as AirDrive HD and other wireless sharing apps as the first easily accessible services once access to the device has been gained.
Aside from access to certain apps on the device, the paper also notes that computers and other smart devices connected to the hotspot could also be affected. Additionally, an attacker might be able to intercept messages passing between connected devices and the mobile hotspot. The researchers write that the entire process of identifying targets, de-authenticating wireless clients, capturing WPA handshakes, and cracking hotspot default passwords could easily be automated. The team even built an app called Hotspot Cracker in order to automate the word list generation process. The computing power necessary to brute force crack the password, they say, could be supplied by cloud computing services.
According to the paper, the tendency for device manufacturers to make their default hotspot passwords easily memorizable is the main cause of the vulnerability. The researchers call for truly randomized passwords to be the default setting for mobile hotspot-capable devices. The report concludes the following:
In the context of mobile hotspots, there is no need to create easily memorizable passwords. After a device has been paired with once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections.
Source: University of Erlangen (PDF)