June 19, 2013
Using a personal hotspot with your iPhone or iPad is a convenient way to share a data connection. Unfortunately, because of how Apple assigns automatic passwords, it can also open a security hole on your device, according to researchers at the University of Erlangen (FAU) in Germany. When using a personal hotspot, iOS assigns a password. This password uses a combination of a short English word and a series or random numbers. This is a big no-no, according to researchers. Using an AMD Radeon HD 6990, a team at FAU were able to determine that Apple pulls from a list of just 1,842 words when generating this password. As a result, they were able to determine a user’s personal hotspot password in under a minute. When they upgraded to a faster CPU, the time to break the password fell to 50 seconds. FAU says that system-generated passwords “should be reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters.” Because iOS doesn't provide this type of security, FAU advises that users create their own password. They state:
As it is always a good advice to replace initial default passwords by user-defined strong and secure passwords, this becomes particular relevant on mobile hotspots passwords. Therefore, users of mobile hotspots, especially of iOS-based mobile hotspots, are advised to change their passwords. In addition, some mobile platforms (like Apple iOS) display the number of connected clients on the lock screen. Therefore, it is a good advice to periodically check that screen for any conspicuous activity. Finally, hotspot capabilities of smart devices should be switched off every time when they are no longer needed, to keep the overall attack surface as minimal as possible.Hopefully, Apple resolves this flaw iOS 7. Better still, perhaps Apple should simply stop assigning automatic passwords to personal hotspots. Instead, iOS should alert users that they must assign their own password before using the feature. See also: Your iDevice Can Be Hacked In Just Under A Minute With Just A Modified Charger, and Armed With Only A Date Of Birth And Email Address, Your Apple Password Can Be Reset.