If you have used your iPhone’s personal hotspot feature, you know that it ships with a default, randomly generated password. German researchers have found that these passwords are susceptible to attack and can be cracked in less than a minute (via ZDNet).
The white paper, “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots,” signed by researchers at the University of Erlagen in Germany, reveals the default passwords are created by Apple using the word list of an open-source Scrabble crossword game.
“This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unof?cial Scrabble word list within of?ine dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password,” the researchers wrote.
While this shouldn’t be a problem, as it can generate enough original passwords for all iOS devices capable of tether, the main issue, which made the default passwords predictable, is that Apple uses only a small subset of the 52,500 entries.
“Only 1,842 different entries of that dictionary are taken into consideration. Consequently, any default password used within an arbitrary iOS mobile hotspot is based on one of these 1,842 different words.”
By adding powerful cracking hardware to the setup (a GPU cluster consisting of four AMD Radeon HD 7970s), the German researchers had 100% success in cracking all hotspot passwords in just 50 seconds, and 49 minutes to cycle over all 52,500 entries by cracking on a AMD Radeon HD 6990 GPU.
Assuming that this won’t be always available to hackers, they have tested available cloud computing technologies to find that the passwords can be hacked using that technology as well.
Until Apple to updates its Personal Hotspot security, you can change the default password by tapping the “Wi-Fi password” line and create your own, secure password.