Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute

msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."

Re:less than a minute?

[Russ1642]

Rainbow tables are useless against properly salted passwords. Anyone not using a salt in this day and age is begging to be hacked.

Fixed in iOS 7

[eecue]

FWIW, this has been fixed in iOS 7, it is now totally random.

Re:Simple.

[Aaden42]

Indeed this is not true. I use mobile hotspot on iOS6 (iPhone 4S). Default password was pathetic, but easily changed.

Re:Argh!

[retchdog]

The researchers say that the words are not picked uniformly at random, so it's actually fewer bits than that.

It's not hard to see why apple makes it this way: it's so that it's easy for you to share the password with people, and so that it's uniformly easy to type in on smartphones and tablets which reliably have only alphanumerics (and minimal punctuation) on the default keyboard.

Most people don't care about this stuff, and if you do you can change it. Apple understands that ease-of-use is king. That's why they make money.