When you are taking the commuter train to work in the morning and activate your iPhone or iPad’s Wi-Fi hotspot, do you use your own, complex multi-symbol password or a randomly generated series of letters and numbers that Apple provides? If you are using Apple’s randomly generated password to secure your mobile hotspot, you may be vulnerable to a hack.
According to a recent research report from the University of Erlangen in Germany, Apple’s randomly generated passwords are not particularly secure. The report, “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile” addresses the pre-share key (PSK) authentication that Apple provides users to protect their mobile hotspot. It appears that the automatic generator offers weak passwords that make users’ hotspots susceptible to brute force attacks.
A major part of the problem is that the generator creates a password based on less than 2,000 short words that are not actually random. Because the list is too simple, it makes it possible for hackers to gain access to your mobile hotspot in less than 50 seconds.
Apple’s automatic generator creates a password that is a combination of short words found in an open source list of Scrabble words followed by a series of numbers. Using the unofficial Scrabble word list, the researchers had a 100 percent success rate of cracking any iOS hotspot default password.
According to the research, the most commonly used words in Apple’s random password generator are 10 times more likely to be selected as a default password than any other words.
To hack into an iOS user’s hotspot, the attacker has to monitor the traffic, wait for a wireless client to connect to a mobile hotspot, and then deauthenticate the connection, forcing the client to have to reauthenticate. This would make it easy to capture the WPA handshake.
The researchers involved in this report created an iOS app called “Hotspot Cracker” that creates a list of likely passwords that would be generated by Apple’s random generator. “The app also gives explanations and hints on how to crack a captured WPA handshake using well-known password crackers.”
This is from researchers at a University in Germany. Imagine what morally ambiguous or even criminally minded hackers have already created.
There are two lessons to take from this research. The first is for Apple. The company needs to change the software of their random password generator to create stronger passwords. The second is that users should make sure that their password is long, includes letters numbers and symbols, and is complex enough to be hack proof.