Researchers easily crack iOS-generated Hotspot passwords

When you enable the Personal Hotspot feature on your iPhone, iOS will generate a password on your behalf. It's convenient, but recent research from FAU in Germany suggests it is not very secure.

According to researchers Andreas Kurtz, Felix Freiling and Daniel Metz, the default hotspot password in iOS 6 uses a short English word with some random numbers at the end. Earlier versions of iOS used a similar pattern that included two words separated by two numbers.

Not surprisingly, these passwords can be cracked in no time via a brute-force attack. Using one AMD Radeon HD 6990 GPU, the team was able to guess a password in 50 minutes. When they bumped the GPUs up to four AMD Radeon HD 7970s, they were able to drop the password-cracking time to a mere 50 seconds.

One reason the cracking was so easy is that Apple apparently uses a password list that picks from 1,842 words, and the selection of these words is not done randomly. It wouldn't take much effort for a savvy hacker to figure out this pattern and write a tool that would compromise a hotspot password faster than you can say supercalifragilisticexpialidocious.

The take home message is to change your hotspot password from the default one that is generated by iOS to one of your own choosing. It's easy enough to do -- just tap Settings > Personal Hotspot or Settings > General > Cellular > Personal Hotspot, depending on your device and software. Then tap the WiFi password field and type in a new phrase. The new password must be at least eight characters long and use ASCII/Unicode characters. You can read more about the Personal Hotspot feature on Apple's iOS support page.

[Via Engadget]