Thursday, June 20, 2013

Researchers say they can crack iOS-generated hotspot keys in under a minute

The first thing you should do once you have a new router up and running is change the default password, which is static and well-known across the Internet. The same advice, similarly, would apply to any mobile hotspots you might use, even iOS and its seemingly random hotspot passwords -- a group of German researchers announced on Tuesday that they have "cracked the code."

In iOS, when using a device as a mobile hotspot, users can specify their own passwords (really, an encryption key, but the researchers refer to it as a password), but that's optional. Apple initially populates the field with a randomly generated code. However, according to three researchers from the University of Erlangen in Germany, these passwords can be cracked in under a minute, because the methodology used to generate them is insecure and flawed.

According to their paper, "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" (PDF), iOS hotspot passwords are a combination of a short dictionary word followed by a series of random numbers.

The researchers wrote:
This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.
Things are worse that just that, though. According to the researchers, only a small subset of that dictionary -- 1,842 words -- is actually being used.
Only 1,842 different entries of that dictionary are taken into consideration. Consequently, any default password used within an arbitrary iOS mobile hotspot is based on one of these 1,842 different words.
Using admittedly powerful hardware, a GPU cluster consisting of four AMD Radeon HD 7970s, researchers could crack any iOS hotspot with an OS-generated password within 50 seconds.

Using a more typical setup, though, with a single AMD Radeon HD 6990 GPU, it took researchers a maximum of 49 minutes to crack a password.

While 49 minutes is a long time, that's a maximum. There are a couple of protections that an end user can note, though: when you have a connection to your iOS hotspot, you will see a message on the top part of your screen indicating the number of connections. If you see more than the proper number of devices connected, simply turn off the hotspot off and change your password.

In a more proactive manner, you can simply change your hotspot password (if you previously accepted an Apple password). To do this, go to Settings > Personal Hotspot in IOS, then tap the right-arrow next to the password to replace the default password with a new one.

The researchers called on Apple to use truly randomly-generated passwords. Notably, since once connected to a hotspots or routers, a device caches the data and doesn't need to have it re-entered every time. Thus, an easily remembered code isn't necessary.
In the context of mobile hotspots, there is no need to create easily memorisable passwords. After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections.
Researchers said that Windows Phone has a similar, but easier-to-hack issue, but while default Android is strong, Android fragmentation can change that:
Default passwords in Windows Phone 8 consist of only eight-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable.

Moreover, while the official version of Android generates strong passwords, some vendors modified the wi-fi-related components utilized in their devices and weakened the algorithm of generating default passwords.

No comments: