The Case of iOS Wi-Fi Hotspots

Last week we published a study on the security of mobile hotspots. We found out, that Apple iOS generates weak default passwords, when an iPhone is used as mobile hotspot. This case serves as a perfect example, why it is always a good advice to replace initial default passwords by user-defined strong and secure passwords.

Abstract

Passwords have to be secure and usable at the same time, a trade-off that is long known. There are many approaches to avoid this trade-off, e.g., to advice users on generating strong passwords and to reject user passwords that are weak. The same usability/security trade-off arises in scenarios where passwords are generated by machines but exchanged by humans, as is the case in pre-shared key (PSK) authentication. We investigate this trade-off by analyzing the PSK authentication method used by Apple iOS to set up a secure WPA2 connection when using an iPhone as a Wi-Fi mobile hotspot. We show that Apple iOS generates weak default passwords which makes the mobile hotspot feature of Apple iOS susceptible to brute force attacks on the WPA2 handshake. More precisely, we observed that the generation of default passwords is based on a word list, of which only 1.842 entries are taken into consideration. In addition, the process of selecting words from that word list is not random at all, resulting in a skewed frequency distribution and the possibility to compromise a hotspot connection in less than 50 seconds. Spot tests show that other mobile platforms are also affected by similar problems. We conclude that more care should be taken to create secure passwords even in PSK scenarios.”

For more information please refer to our technical report “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots” (PDF) or the related page on our chair’s website: https://www1.cs.fau.de/hotspot.

Media Coverage

  • Forbes: “Apple’s iPhone Password Security Broken In 24 Seconds”
  • The Register: “Apple’s screw-up leaves tethered iPhones easily crackable”
  • ars technica: “New attack cracks iPhone autogenerated hotspot passwords in seconds”
  • ZDNet: “Researchers able to predict Apple iOS-generated hotspot passwords”
  • H online: “Security issue in iOS Personal Hotspot”
  • Slashdot: “Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute”
  • PC Magazine: “Researchers Crack iOS Personal Hotspot Passwords”
  • engadget: “Researchers able to predict iOS-generated hotspot passwords in less than a minute”
  • macrumors: “Researchers Crack iOS-Generated Hotspot Passwords in 50 Seconds”
  • Sophos Labs: “Anatomy of a cryptoglitch - Apple’s iOS hotspot passphrases crackable in 50 seconds”
  • The Guardian: “iPhone passwords security”