When setting up a personal hotspot on their iPad or iPhone, users have the option of allowing iOS to automatically generate a password. Now, researchers say you shouldn’t get too comfortable with that auto-generated password, as they’ve been able to crack them in less than a minute, using a Scrabble word list.
According to researchers at Germany’s University of Erlangen (via ZDNeT), the way that the keys are generated – with a combination of a short English word along with random numbers – is predictable to the point where the researchers are able to crack the hotspot password in less than a minute.
In their paper, the researchers tell of the process they used to figure out the hotspot protection’s weak spots. The word list Apple uses contains approximately 52,500 entries. Initially it took almost 50 minutes to crack the password. The researchers used an AMD Radeon HD 6990 GPU to run through word and number combinations.
“This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password,” the researchers wrote.
The team then discovered that only a small subset of the larger word list was actually being used, and with a GPU cluster of four AMD Radeon HD 7970s, they got their password cracking time down to a much shorter time of 50 seconds.
The paper goes on to criticize Apple’s password generation methods, and suggests that the passwords should be composed of random numbers and letters.
ZDNet does note that while Apple’s password generation system is flawed, it is still more robust than those used by other companies such as Microsoft, whose Windows 8 phone uses default passwords that consist of eight digit numbers.
It should also be noted that iOS users can avoid a weak hotspot password by choosing to create their own passwords, which of course should contain the aforementioned sequence of random numbers and letters to enhance security.
