Digital Spy

Search Digital Spy
 

DS Forums

 
 

Researchers able to predict Apple iOS-generated hotspot passwords


Reply
Thread Tools Search this Thread
Old 20-06-2013, 14:23
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,035

Researchers able to predict Apple iOS-generated hotspot passwords

This list [of words] consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.
IvanIV is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 20-06-2013, 15:33
Stuart_h
Forum Member
 
Join Date: Jul 2005
Posts: 2,710
Researchers able to predict Apple iOS-generated hotspot passwords

This list [of words] consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.
Oh dear.

Im guessing that people arent 'using' the hotspots right though
Stuart_h is offline   Reply With Quote
Old 20-06-2013, 15:36
The Lord Lucan
Forum Member
 
Join Date: Apr 2005
Location: Scotland
Posts: 3,826
Who keeps their password default? Problem solved!
The Lord Lucan is offline   Reply With Quote
Old 20-06-2013, 15:39
chenks
Forum Member
 
Join Date: Jul 2002
Location: North Ayrshire
Posts: 10,731
shouldn't affect many people as hardly any carriers allow you to use the hotspot feature by default anyway
chenks is offline Follow this poster on Twitter   Reply With Quote
Old 20-06-2013, 17:11
cnbcwatcher
Forum Member
 
Join Date: Sep 2008
Location: At college, in L.A.'s office
Posts: 50,558
What about Android-generated hotspots?
cnbcwatcher is offline Follow this poster on Twitter   Reply With Quote
Old 20-06-2013, 17:52
Zack06
Forum Member
 
Join Date: Aug 2009
Posts: 27,113
What about Android-generated hotspots?
You can choose your own password for Android hotspots. It does generate passwords as well, but that system has not yet been compromised as it has on iOS.
Zack06 is offline   Reply With Quote
Old 20-06-2013, 18:02
IslandNiles
Forum Member
 
Join Date: Apr 2005
Posts: 12,791
You can choose your own password for Android hotspots. It does generate passwords as well, but that system has not yet been compromised as it has on iOS.
You can choose your own password for iOS hotspots too.
IslandNiles is offline   Reply With Quote
Old 20-06-2013, 18:08
The Lord Lucan
Forum Member
 
Join Date: Apr 2005
Location: Scotland
Posts: 3,826
I have an issue with this story are we sure that this is on iOS6 as i just checked a fresh iPhone & iPad running iOS6.1 and the PH password is not a legible word and also includes numbers... Totally the opposite from what this is saying!

I smell a rat.
The Lord Lucan is offline   Reply With Quote
Old 20-06-2013, 18:15
Zack06
Forum Member
 
Join Date: Aug 2009
Posts: 27,113
You can choose your own password for iOS hotspots too.
The article seems rather dubious and exaggerated then, if that is indeed the case.
Zack06 is offline   Reply With Quote
Old 20-06-2013, 18:17
IslandNiles
Forum Member
 
Join Date: Apr 2005
Posts: 12,791
The article seems rather dubious and exaggerated then, if that is indeed the case.
Yeah, I've always had my own password. I wasn't even aware before this thread that the system generated passwords.

I've always thought it a bit strange that it shows the password in full within the hotspot menu on the phone though.
IslandNiles is offline   Reply With Quote
Old 20-06-2013, 18:47
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,035
The article seems rather dubious and exaggerated then, if that is indeed the case.
Not everybody sets their own password, they see something there and think it's good enough. Using a dictionary to generate a password is pretty stupid.
IvanIV is offline   Reply With Quote
Old 20-06-2013, 19:42
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
There is a balance here.

If they auto generate password that looks like *&v4G%9:mF±~€gR2 then people will just change them to something simple and easier to type like 11111111.

A dictionary word followed by a number is not the worst idea. A larger dictionary and an extra digit, reverse the order, extra word.
flagpole is offline   Reply With Quote
Old 20-06-2013, 20:08
IslandNiles
Forum Member
 
Join Date: Apr 2005
Posts: 12,791
There is a balance here.

If they auto generate password that looks like *&v4G%9:mF±~€gR2 then people will just change them to something simple and easier to type like 11111111.

A dictionary word followed by a number is not the worst idea. A larger dictionary and an extra digit, reverse the order, extra word.
That's very true. Our passwords at work have such absurd requirements (upper and lower case, symbols, numbers, no repeating characters, number can't be at the end, password can't be any of the last 16 used) that everyone writes them down, which just defeats the point.
IslandNiles is offline   Reply With Quote
Old 20-06-2013, 20:16
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,035
I take some known text, usually lyrics, take some letters from it and mix it up with special characters and numbers. Easy to remember and very difficult to crack. Using a dictionary only is a big no. Here, if this is true, it is easy to find out an algorithm how a password is generated, a small dictionary plus something. Still difficult to do anything manually, but very easy for a computer.
IvanIV is offline   Reply With Quote
Old 20-06-2013, 20:31
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
The most secure passwords it seems are actually of the form MonkeyTrousersPurpleGhostly if you check the numbers there are more combinations than v4G%9:mF and they are easier to remember.
flagpole is offline   Reply With Quote
Old 20-06-2013, 23:20
Lidtop2013
Forum Member
 
Join Date: Jan 2013
Location: West Midlands, UK
Posts: 1,511
Yeah, I've always had my own password. I wasn't even aware before this thread that the system generated passwords.

I've always thought it a bit strange that it shows the password in full within the hotspot menu on the phone though.
Same here from day one I've had my own password and I was led to believe there's no option for a random generated password
Lidtop2013 is offline   Reply With Quote
Old 21-06-2013, 09:42
KieranDS
Forum Member
 
Join Date: Nov 2010
Location: London
Posts: 15,133
Mine was something like peak9292 by default. I doubt anyone would guess that.

You can create your own though, so I fail to see the point of this article.

Furthermore, the top third of the screen goes blue when a device is connected to the hotspot, so it's not like you'd be unaware should anyone ever guess the passwords.
KieranDS is offline   Reply With Quote
Old 21-06-2013, 10:01
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
Mine was something like peak9292 by default. I doubt anyone would guess that.

You can create your own though, so I fail to see the point of this article.

Furthermore, the top third of the screen goes blue when a device is connected to the hotspot, so it's not like you'd be unaware should anyone ever guess the passwords.
peak9292 would be guessed in under a minute by the process described in the article.

that was the point. it was using only 1842 words and 4 digits so there are only 18,420,000 passwords it needed to try. as opposed to a full set 8 digit password that has about 576,480,100,000,000 combinations and by the same technique would take 60 years. (incidentally if you add a digit to that a 9 digit would take 420 year and 10 digit 30,000)

It's not about connecting an unauthorised device it's about the possibility of intercepting and reading the data.

the risk is not massive, not that much data is sent in the clear these days, but it is real.

a semi realistic scenario would be for a hacker with a high-end laptop to go somewhere busy, capture wifi data from everyone and store it whilst running the attack, discard it after the attack if it couldn't be broken and if it could automatically sift it for something useful. or maybe use it in a more targeted attack.
flagpole is offline   Reply With Quote
Old 21-06-2013, 10:24
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,035
Yes, that algorithm is way too simple. If they used 2-3 words, added the numbers somewhere randomly, mixed the upper/lower case it would be more fun. One should not dismiss it saying it's just a default. Not everybody changes it, they may think if OS proposes it it's good enough. It should not be a risk to use it. Focus is slowly moving from PCs to mobile devices and hackers will move as well. People put a lot of interesting information on their mobiles.
IvanIV is offline   Reply With Quote
Old 21-06-2013, 13:24
Daveoc64
Forum Member
 
Join Date: Sep 2003
Location: Bristol (BBC1 West)
Posts: 14,911
This would be less of a problem if you could change the SSID (name) of the Hotspot.

It will always match the name of the iPhone or iPad (which in most cases is going to be like "David's iPhone").

If you could change it, it'd be harder to know that the Hotspot was an iOS device and the chances of guessing the password would be substantially reduced (not to mention bringing many usability benefits).
Daveoc64 is offline Follow this poster on Twitter   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT +1. The time now is 01:30.