Researchers crack iOS-generated hotspot passwords in 24 seconds
If you're an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested by iOS, now is definitely a good time. German researchers have discovered (pdf) the passwords iOS issues can be easily predicted, allowing them to be cracked in as little as one minute using consumer hardware.
The algorithm iOS uses to generate hotspot keys takes a dictionary word, adds a couple of numbers and voila -- an easily memorable password is born. The problem though, is despite the endless variety of words available in the English language, iOS draws its password inspiration from a narrow selection of just 1,842 words.
The second issue is certain words appear several times more frequently than other words. For example, out of nearly 2,000 words, "suave" had a 1-in-125 chance of being used. Meanwhile, "macaws" -- the tenth most-likely word to be used -- appeared 1-in-345 times. Knowing iOS' preferred word selection allows brute force crackers to start with the most common ones first, further reducing the time needed.
A PC armed with a Radeon HD 6990 GPU was able to crack the average iPhone hotspot in 52 seconds while four Radeon HD 7970s yielded an average of just 24 seconds. GPUs are favored amongst crackers for their ability to perform massively parallell computations.
Of course, Apple doesn't have a monopoly on devices with easily cracked hotspot passwords. Windows Phone and some Android handsets don't fare much better.
Windows Phone, for example, auto-generates hotspot passwords consisting of eight numbers. This means you already know what the password could be, making Windows Phone susceptible to brute force attacks. More research may reveal an additional weakness though, which could narrow that selection of 10^8 possibilities down to something even more tractable.
Meanwhile, Android's default password generator conjures sufficiently strong passwords, but some vendors have taken the liberty of greatly reducing its effectiveness. "Android-based models of the smartphone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890)" researchers noted.