Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute

msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."

Argh!

[girlintraining]

the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

*facepalm* Dinopass [dinopass.com] does a better job of picking good passwords than Apple, and it's designed for children. For the largest company on the planet, this is really, painfully, sad. In other news, this isn't a weakness in the crypto per-se -- it's making a suggestion. The user still has the option of picking something more secure.. so it's not entirely Apple's fault if your hotspot gets p0wned.

Re:less than a minute?

[girlintraining]

to be fair, it took them more than a week to crack it, but now that they've cracked it a hotspot password can be cracked in 50 seconds. a big difference I think.

Not to an attacker. Google "rainbow tables" sometime, and then realize that even strong passwords up to 16 characters in length are currently crackable in mere seconds. 50 seconds is pathetically slow for the sophisticated attacker today.

Re:Argh!

[Anonymous Coward]

and it's designed for children

So, like Apple.

Re:less than a minute?

[CastrTroy]

And rainbow tables are also only good if the attacker has access to your password file. If untrusted people have access to your password file, you already have some problems. The only case where the attacker should have access to the password file would be if they had physical access to the machine, in which case you'd better trust them to some degree anyway. However, what frequently ends up happening, is that remote systems are hacked into and password files are downloaded, and analyzed using a rainbow table. Sure the salting of passwords would have helped a little in this situation, but the glaring problem is that they hacker should have never been able to obtain the password file in the first place.

Re:Really?

[Anonymous Coward]

So, someone else might be able to jump onto your phone data when you are tethering... however to do so they need to lug around a big computer tower with a bunch of GPUs plugged in, and only if you use the default password.

This is very much a non-story. Most people using tethering will have it enabled when they need it then turn it off (otherwise major battery drain), so they might be able to use your internet for a little bit but then they'll be left with nothing. And it's really really easy to change the default password, on the screen to enable mobile hotspot on your phone the password is displayed, tapping on it gives you the keyboard to change it. This was the way it worked from the beginning of IOS tethering.

With changing the password being so easy, how many people who use tethering would leave it at the default? Most people I know would change it just to make it more personal and memorable.

The tower-full of GPUs doesn't have to be on-site. One can always transfer the captured handshake to a remote system for cracking. Of course, this renders the goal of getting a little free wireless broadband pointless (as it supposes an attacker already has some kind of network access).