Forgot your password?
typodupeerror
IOS Security

Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute 49

Posted by Soulskill
from the algorithm-to-guess-your-cat's-name dept.
msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."
This discussion has been archived. No new comments can be posted.

Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute

Comments Filter:
  • Argh! (Score:5, Insightful)

    by girlintraining (1395911) on Wednesday June 19, 2013 @03:32PM (#44053167)

    the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

    *facepalm* Dinopass [dinopass.com] does a better job of picking good passwords than Apple, and it's designed for children. For the largest company on the planet, this is really, painfully, sad. In other news, this isn't a weakness in the crypto per-se -- it's making a suggestion. The user still has the option of picking something more secure.. so it's not entirely Apple's fault if your hotspot gets p0wned.

    • by 54mc (897170)
      For reference, that means there's 18,420,000 combinations.
      • by cbhacking (979169)

        Or (in the terms that people in this area usually think in) just over 24 bits of entropy. (~24.135)

        That is absurdly low for an auto-generated single-use password.

        • Re:Argh! (Score:5, Informative)

          by retchdog (1319261) on Wednesday June 19, 2013 @05:23PM (#44054233) Journal

          The researchers say that the words are not picked uniformly at random, so it's actually fewer bits than that.

          It's not hard to see why apple makes it this way: it's so that it's easy for you to share the password with people, and so that it's uniformly easy to type in on smartphones and tablets which reliably have only alphanumerics (and minimal punctuation) on the default keyboard.

          Most people don't care about this stuff, and if you do you can change it. Apple understands that ease-of-use is king. That's why they make money.

    • by sl4shd0rk (755837)

      Dinopass does a better job of picking good passwords than Apple

      Nice! I finally have an awesome root pass!
      +otalDingle48

    • Not to defend it too much, since I agree that this is rather silly of Apple to have done, but we do need to remember that these hotspots are transient, and that for them to be attacked, an attacker would have to both know the location of one and when it will be there. That said, if someone were in a routine that an attacker was aware of, it would be fairly trivial to use this attack against them, and even if they generated a new password, they'd still face the issue again.

  • Don't use default passwords.
    • by Anonymous Coward

      The original article implied that IOS6 users were no longer able to choose their own password. I would hope and expect that this isn't true, but that's what they implied, and I wouldn't put it past Apple to do something like that. The word choice is a naughty word for Apple.

  • by Major Ralph (2711189) on Wednesday June 19, 2013 @03:53PM (#44053393)

    abuse of the user's Internet connection

    I abuse my internet on a daily basis.

    • by antdude (79039)

      Me too. Although, a few times the owners (e.g., ISPs) did complain and even kick me off. :(

  • Fixed in iOS 7 (Score:3, Informative)

    by eecue (605228) on Wednesday June 19, 2013 @04:25PM (#44053741) Homepage
    FWIW, this has been fixed in iOS 7, it is now totally random.
  • Apple knows security about as well as I know Portuguese. I do not know Portuguese, lol. They're so obsessed with "just make it work" and "make it user friendly" that they toss security out the window just as quickly as Lexus did and now you can hack one and drive away in 2 minutes.
  • by Cajun Hell (725246) on Wednesday June 19, 2013 @06:12PM (#44054769) Homepage Journal

    ..in iOS 6 for example, the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

    I think I can explain what happened.

    First of all, this story is a dupe. It originally ran on April 1st, 1990. At the time, the story was about "System 6" but some recent tech media editor thought that meant "iOS 6" (I'll explain how the mistake happened, below). That explains the pre-mass-mainstream approach to passwords.

    Secondly, even the 1990 story was a hoax. By the standards of the day, that was still such a stupid way to generate passwords, that no one would do it.

    Third, the story was written by a guy who turned out to be working at Microsoft. The whole point of the hoax was to make the Newton tablet look stupid, a mis-engineered travesty designed by utterly clueless morons. The 2013 tech media editor saw "Newton" and knew that couldn't be right, which is how it became iOS. Newtons didn't really run System 6, but the original Microsoft author didn't know that.

    In short, this is about stupidity that is so stupid, that people didn't do things that stupidly, even back when your mother hadn't heard of the Internet yet.

    Just kidding. It's a modern story, but I just wanted to point out that even the most absurd bend-over-backward-to-rationalize-things explanation for behavior this stupid, still isn't very convincing. No field can distort reality to the required degree.

  • by Plumpaquatsch (2701653) on Wednesday June 19, 2013 @08:56PM (#44056159) Journal

    Other mobile platforms might be affected by these deficits as well. Although, we did not analyze other platforms in detail, spot-checks have revealed that default passwords in Windows Phone 8 consist of only 8-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable. Moreover, while the official version of Android generates strong passwords2, some vendors modified the Wi-Fi related components utilized in their devices and weakened the algorithm of generating default passwords. For instance, some Android-based models of the smart- phone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890) [26]. However, future studies will be necessary to evaluate the security level of mobile hotspots on other platforms in more detail.

    • by jeremyp (130771)

      In a sense, it would have been better for Apple to do that. The hotspot password is displayed directly below the switch that turns the hotspot on. If I had seen it said "1234567890" the first time I used personal hotspot, I would have immediately changed it to a reasonably strong password.

      However, the password that was displayed was "mucked3879" which I just assumed was generated randomly and didn't change until I first heard about this vulnerability.

There are running jobs. Why don't you go chase them?

Working...