iOS-Generated Passwords Cracked In 50 Seconds
June 19, 2013

iOS-Generated Wi-Fi Passwords Cracked In 50 Seconds

Michael Harper for — Your Universe Online

Three years ago, Apple´s generated Wi-Fi passwords in iOS may have offered some level of protection against hackers and snoopers. Yet as hackers begin to use increasingly sophisticated hardware and software to crack secure and insecure passwords alike, Apple´s combination of esoteric words and numbers have been exposed as less than failsafe. Users can change their Wi-Fi hotspot passwords at any time, but according to researchers at the University of Erlangen in Germany, passwords generated by default in iOS can be cracked quite easily, in as little time as 50 seconds.

In their paper entitled “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots,” Andreas Kurtz, Felix Freiling and Daniel Metz say they´ve unlocked the method used to generate these hotspot passwords, rendering them easily cracked.

The researchers discovered Apple´s method includes a word that is four to six characters long, followed by a four-digit number. This by itself is enough to make the hotspot feature vulnerable to break-ins, write the researchers in their paper.

The team then began resetting the hotspot on their iPhone to get a list of words used by Apple´s password generator. They searched the Internet for a list of words similar to their own list and found one in an open-source Scrabble crossword game with about 52,500 words contained therein.

“Using this (unofficial) Scrabble word list within offline dictionary attacks, we already had a 100% success rate of cracking any arbitrary iOS hotspot default password,” write the security researchers in their paper. In a footnote, they mention there was no evidence Apple uses a list of Scrabble words to generate their passwords and suggest instead both the game developers and the iPhone makers referred to the same list.

Though they were able to crack 100 percent of these passwords with this Scrabble dictionary, it took them almost 50 minutes with an AMD Radeon HD 6990 GPU to do so. They then reverse-engineered iOS to locate the library of words used and discovered a smaller list from which to generate these passwords. Armed with a cluster of four AMD Radeon HD 7970 GPUs and a smaller list of words, the team was able to crack iOS-generated hotspot passwords in less than 50 seconds.

“Vendors of mobile hotspot solutions should improve their way of generating initial default passwords,” write the team in their report.

“System-generated passwords should be reasonably long and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers and special characters. It can be neglected that increased randomness could have a negative impact on the memorability of the passwords.”

Not surprisingly, the security researchers recommend changing the iOS-generated password to something stronger. As devices that connect to a mobile hotspot only need to connect once, they say users shouldn´t be too concerned with being able to remember this password. They also recommend switching off the hotspot feature when it´s not in use and checking the number of devices connected to the hotspot when it´s broadcasting a signal. The iPhone displays this information on the lock screen when the hotspot is enabled, so it´s easy to keep an eye on how many devices are attempting to connect with the device.

Apple announced a new iCloud Keychain feature during last week´s WWDC keynote that will create randomly-generated passwords and share them between iOS and Mac devices. As this is the second time in recent weeks Apple has been called out for lackluster security features, researchers may be ready to scrutinize the methods used in the new service.