Researchers able to predict Apple iOS-generated hotspot passwords

IvanIVIvanIV Posts: 30,301
Forum Member
✭✭✭
Researchers able to predict Apple iOS-generated hotspot passwords

This list [of words] consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.

Comments

  • Stuart_hStuart_h Posts: 5,311
    Forum Member
    IvanIV wrote: »
    Researchers able to predict Apple iOS-generated hotspot passwords

    This list [of words] consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.

    Oh dear.

    Im guessing that people arent 'using' the hotspots right though ;)
  • The Lord LucanThe Lord Lucan Posts: 5,054
    Forum Member
    Who keeps their password default? Problem solved!
  • chenkschenks Posts: 13,231
    Forum Member
    ✭✭
    shouldn't affect many people as hardly any carriers allow you to use the hotspot feature by default anyway :D
  • cnbcwatchercnbcwatcher Posts: 56,681
    Forum Member
    What about Android-generated hotspots?
  • Zack06Zack06 Posts: 28,304
    Forum Member
    ✭✭✭
    What about Android-generated hotspots?

    You can choose your own password for Android hotspots. It does generate passwords as well, but that system has not yet been compromised as it has on iOS.
  • [Deleted User][Deleted User] Posts: 13,367
    Forum Member
    ✭✭
    Zack06 wrote: »
    You can choose your own password for Android hotspots. It does generate passwords as well, but that system has not yet been compromised as it has on iOS.

    You can choose your own password for iOS hotspots too.
  • The Lord LucanThe Lord Lucan Posts: 5,054
    Forum Member
    I have an issue with this story are we sure that this is on iOS6 as i just checked a fresh iPhone & iPad running iOS6.1 and the PH password is not a legible word and also includes numbers... Totally the opposite from what this is saying!

    I smell a rat.
  • Zack06Zack06 Posts: 28,304
    Forum Member
    ✭✭✭
    You can choose your own password for iOS hotspots too.

    The article seems rather dubious and exaggerated then, if that is indeed the case.
  • [Deleted User][Deleted User] Posts: 13,367
    Forum Member
    ✭✭
    Zack06 wrote: »
    The article seems rather dubious and exaggerated then, if that is indeed the case.

    Yeah, I've always had my own password. I wasn't even aware before this thread that the system generated passwords.

    I've always thought it a bit strange that it shows the password in full within the hotspot menu on the phone though.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    Zack06 wrote: »
    The article seems rather dubious and exaggerated then, if that is indeed the case.

    Not everybody sets their own password, they see something there and think it's good enough. Using a dictionary to generate a password is pretty stupid.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    There is a balance here.

    If they auto generate password that looks like *&v4G%9:mF±~€gR2 then people will just change them to something simple and easier to type like 11111111.

    A dictionary word followed by a number is not the worst idea. A larger dictionary and an extra digit, reverse the order, extra word.
  • [Deleted User][Deleted User] Posts: 13,367
    Forum Member
    ✭✭
    flagpole wrote: »
    There is a balance here.

    If they auto generate password that looks like *&v4G%9:mF±~€gR2 then people will just change them to something simple and easier to type like 11111111.

    A dictionary word followed by a number is not the worst idea. A larger dictionary and an extra digit, reverse the order, extra word.

    That's very true. Our passwords at work have such absurd requirements (upper and lower case, symbols, numbers, no repeating characters, number can't be at the end, password can't be any of the last 16 used) that everyone writes them down, which just defeats the point.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    I take some known text, usually lyrics, take some letters from it and mix it up with special characters and numbers. Easy to remember and very difficult to crack. Using a dictionary only is a big no. Here, if this is true, it is easy to find out an algorithm how a password is generated, a small dictionary plus something. Still difficult to do anything manually, but very easy for a computer.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    The most secure passwords it seems are actually of the form MonkeyTrousersPurpleGhostly if you check the numbers there are more combinations than v4G%9:mF and they are easier to remember.
  • Lidtop2013Lidtop2013 Posts: 4,327
    Forum Member
    ✭✭✭
    Yeah, I've always had my own password. I wasn't even aware before this thread that the system generated passwords.

    I've always thought it a bit strange that it shows the password in full within the hotspot menu on the phone though.

    Same here from day one I've had my own password and I was led to believe there's no option for a random generated password
  • KieranDSKieranDS Posts: 16,545
    Forum Member
    ✭✭
    Mine was something like peak9292 by default. I doubt anyone would guess that.

    You can create your own though, so I fail to see the point of this article.

    Furthermore, the top third of the screen goes blue when a device is connected to the hotspot, so it's not like you'd be unaware should anyone ever guess the passwords.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    KieranDS wrote: »
    Mine was something like peak9292 by default. I doubt anyone would guess that.

    You can create your own though, so I fail to see the point of this article.

    Furthermore, the top third of the screen goes blue when a device is connected to the hotspot, so it's not like you'd be unaware should anyone ever guess the passwords.

    peak9292 would be guessed in under a minute by the process described in the article.

    that was the point. it was using only 1842 words and 4 digits so there are only 18,420,000 passwords it needed to try. as opposed to a full set 8 digit password that has about 576,480,100,000,000 combinations and by the same technique would take 60 years. (incidentally if you add a digit to that a 9 digit would take 420 year and 10 digit 30,000)

    It's not about connecting an unauthorised device it's about the possibility of intercepting and reading the data.

    the risk is not massive, not that much data is sent in the clear these days, but it is real.

    a semi realistic scenario would be for a hacker with a high-end laptop to go somewhere busy, capture wifi data from everyone and store it whilst running the attack, discard it after the attack if it couldn't be broken and if it could automatically sift it for something useful. or maybe use it in a more targeted attack.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    Yes, that algorithm is way too simple. If they used 2-3 words, added the numbers somewhere randomly, mixed the upper/lower case it would be more fun. One should not dismiss it saying it's just a default. Not everybody changes it, they may think if OS proposes it it's good enough. It should not be a risk to use it. Focus is slowly moving from PCs to mobile devices and hackers will move as well. People put a lot of interesting information on their mobiles.
  • Daveoc64Daveoc64 Posts: 15,374
    Forum Member
    ✭✭
    This would be less of a problem if you could change the SSID (name) of the Hotspot.

    It will always match the name of the iPhone or iPad (which in most cases is going to be like "David's iPhone").

    If you could change it, it'd be harder to know that the Hotspot was an iOS device and the chances of guessing the password would be substantially reduced (not to mention bringing many usability benefits).
Sign In or Register to comment.