Default iOS hotspot passwords can be cracked in under a minute

Verizon iPhone's Personal Hotspot Feature

You may want to reconsider using a default password iOS provides for hotspot functionality as researchers at a German university warn of the weaknesses that let attackers crack any default iOS hotspot password in under a minute. Although Windows Phone uses even weaker passwords and some Android vendors weaken their device’s security by modifying the Wi-Fi-related components, Apple’s problem is that iOS generates “random” hotspot passwords using a dictionary of only 1,842 different entries…

Michael Lee, writing for ZDNet, points to the disturbing findings by researchers at the University of Erlangen in Germany who found iOS creates default hotspot passwords using a dictionary of 52,500 words from the Scrabble game.

Although Apple appends randomly generated numbers to the words from this dictionary, this isn’t stopping attackers from cracking the weak passwords.

The researchers explain:

This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.

Cracking those passwords requires some serious oomph: the researchers used a GPU cluster consisting of four AMD Radeon HD 7970s. After capturing the Wi-Fi connection handshake, the researchers used the AMD hardware to iterate over all items in the list, including the permutations of additional numbers..

This hardware can crack default iOS hotspot passwords in under just 50 seconds.

It isn’t helping that Apple appears to be using only 1,842 words from the scrabble dictionary.

“Consequently, any default password used within an arbitrary iOS mobile hotspot is based on one of these 1,842 different words,” the research note explains.

It’s even worse on Windows Phone and Android, with the latter generating default hotspot passwords that consist of only eight-digit numbers. And even though Android generates strong passwords, “some vendors modified the Wi-Fi-related components utilised in their devices and weakened the algorithm of generating default passwords”.

The issue fuels serious security concerns, especially when users connect their MacBook, iPad or other device to a hotspot created on an iOS device.

In order to strengthen your security and prevent any potential eavesdropping, you’re advised not to accept default hotspot passwords iOS randomly generates.

Instead, use Settings > Personal Hotspot to replace the default password with your own uniquely generated strong password that should not contain birthday dates, spouse names and other commonly used and easily guessed terms.