14 DAY TRIAL // A bunch of security experts at the University of Erlangen in Germany have published a paper according to which iOS generates predictable passwords using dictionary words and a few numbers, which they were able to break in under a minute.
The PDF document titled “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots (PDF)” explains how the researchers found a flaw in Apple’s mechanism to automatically generate passwords for WiFi hotspots.
The passwords are generated using a combination of Scrabble words followed by a series of random numbers.
“System-generated passwords should be reasonably long, and should use a reasonably large character set.”
“Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters,” reads the paper, signed Andreas Kurtz, Felix Freiling, and Daniel Metz.
Using a GPU cluster consisting of four AMD Radeon HD 7970s, the researchers were able to break every password within 50 seconds.
The researchers also note that Apple’s iOS is not alone in this issue and, in fact, trumps Microsoft’s Windows 8.
“Default passwords in Windows Phone 8 consist of only eight-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable.”
The same goes for Google’s Android, according to the security experts at University of Erlangen.
According to the PDF, “…while the official version of Android generates strong passwords, some vendors modified the wi-fi-related components utilised in their devices and weakened the algorithm of generating default passwords.”
The report notes that some Android phones and tablets shipped by HTC come with constant default passwords consisting of a static string like “1234567890.”
The researchers admit that the mobile hotspot feature is most often used on travel, therefore “an attacker will only have a limited amount of time to succeed in breaking into a mobile hotspot.”
Couple that with the amount of computing power needed for the necessary permutations, and the flaw suddenly doesn’t sound so serious. But you can bet Apple will patch it up soon.