When you set up a personal hotspot on your iOS device, the first thing you should do is delete the password Apple generates for your and enter your own. Researchers at the University of Erlangen in Germany have discovered a way to crack Apple’s hotspot passwords in under a minute, leaving your iOS device vulnerable to attack.
Apple automatically generates a hotspot password on your iOS device, mainly for convenience, and sometimes it’s easier to just continue with that password rather than delete it and enter your own. But you should think twice about using Apple’s passwords in the future.
According to a new paper from the University of Erlangen, entitled “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots,” the password iOS generates for you — which consists of a short word following by a series of random numbers — can be easily cracked in no time at all.
“This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game,” the researchers explain. “Using this unofﬁcial Scrabble word list within ofﬂine dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.”
What’s more, the researchers found that iOS doesn’t even use all 52,000 entries in the list — only a small subset of them. And with the help of a GPU cluster consisting of four AMD Radeon HD 7970s, they were able to crack any iOS hotspot with an Apple-generate password in under 50 seconds.
Admittedly, the hardware required means you’re unlikely to become a victim of this kind of attack at your local coffee shop, but nevertheless, the risk can be avoided quite easily. Rather than sticking with the password iOS automatically gives you, simply enter your own.
The researchers say hotspot passwords “should be composed of completely random sequences of letters, numbers, and special characters,” and they should be reasonably long. And don’t worry about remembering them, because once you’ve connected to your hotspot associated devices should remember the code.
And if they don’t, you can always find it again within the settings in your iOS device.
The researchers note that this issue isn’t just exclusive to iOS, but could also affect Android and Windows Phone devices, too.
Source: University of Erlangen (PDF)