Tethered and vulnerable: Hotspot password FAIL not just in iPhones

The LOT OF YOU might as well pick 'em from Scrabble dictionary

Remote control for virtualized desktops

Analysis The recent discovery that Apple's iOS hotspot passwords are readily crackable in under 50 seconds is part of a wider problem involving other smartphone platforms, claim researchers.

As recently reported by El Reg and others, a team of security researchers discovered from the University of Erlangen, Germany discovered that passphrases auto-generated by the "Personal Hotspot" are far weaker than Apple claims.

Bad though Apple's implementation is, other smartphone manufacturers support similar features and their approach is even worse in some cases, according to preliminary - and overlooked - findings from Andreas Kurtz, Felix Freiling and Daniel Metz, the three members of the Erlangen team.

Other mobile platforms might be affected by these deficits as well. Although we did not analyze other platforms in detail, spot-checks have revealed that default passwords in Windows Phone 8 consist of only 8-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable.

Moreover, while the official version of Android generates strong passwords, some vendors modified the Wi-Fi related components utilized in their devices and weakened the algorithm of generating default passwords. For instance, some Android-based models of the smart-phone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890).

However, future studies will be necessary to evaluate the security level of mobile hotspots on other platforms in more detail.

A more detailed look at the security shortcomings of hotspot implementation on other smartphones is not yet available. Kurtz told El Reg: "Unfortunately, we did not analyze other mobile platforms in detail."

The Erlangen team advises users never to accept the auto-generated passphrases suggested by mobile phones for Wi-Fi hotspots, even if the suggested password appears on casual inspection to be secure. The advice applies to all smartphones but derives from a close look at how Apple's technology works in practice.

Apple iPhones and iPads with 3G support can be used as Wi-Fi access points, a feature Apple calls "Personal Hotspot". The technology is designed with ease of use in mind, so Apple allows punters to generate a WPA passphrase that users can share amongst themselves and that can be typed in easily.

The password generator creates a pronounceable string of up to six characters, and combines it with a four digit number. That ought to give 30 billion possible combinations. A brute force attack using a decent laptop testing 3,000 WPA keys per second against a sniffed Wi-Fi session would take 120 days to run through all possible combinations.

This isn't a practical attack, but Kurtz, Freiling and Metz didn't take such assumptions for granted, instead deciding to investigate how the feature really worked.

Passphrase bingo

As a first step they generated a sample of Personal Hotspot passphrases. They wrote down the pronounceable word part of these login credentials before searching the internet to see if the words appeared together anywhere in a downloadable list. As it turned out these iOS Wi-Fi password words almost always seemed to appear as entries from a table used by an open source Scrabble game, containing a dictionary of 52,000 words.

If Apple was using words from this list in combination with a four digit number (which multiples the range of possible combinations by 10,000) then they were using a range of just 52 million possible passphrases.

At this point the researchers formed a tentative theory that the Apple passphrase generator has a dictionary list under the bonnet. To find out what going on the researchers set about disassembling the passphrase generator code.

They discovered that the software first fed a pseudo-random non-word into a spell checker and captured what came back before adding four pseudo-random digits. Only words of between four and six characters that happened to get returned by the spell checker were accepted.

The researchers wrote their own implementation of the passphrase generation code and ran it 100 million times with pseudorandom input. Only 1,842 different words came back, evidence that Apple's implementation was actually far worse than if the fruity firm had just used a Scrabble dictionary. Apple's tool generated only 18 million possible passphrases.

Encryption's fine - it's the passphrases that suck

Using a GPU rig of graphics cards, something many attackers would be able to access, the researchers discovered they needed just 50 seconds to run through all possible combinations - making it possible to brute-force crack a hotspot passphrase in less than a minute.

The researchers published their findings in a paper entitled, Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots. Kurtz, Freiling and Metz note that Apple's crypto-snafu is based on weak default passwords rather than a deeper problem with the WPA2 encryption protocol, which remains secure.

Paul Ducklin, writing on Sophos's Naked Security blog, said the issue means users need to come up with their own passphrase rather than accepting Apple's suggested login credentials.

"Anyone who knows your WPA key and is around when you connect to your network can decrypt your traffic in real time," Ducklin warns. "And anyone who is around when you connect and can sniff your traffic can attempt to crack the password and decrypt your traffic later. Choose your own passphrase, and make it a good one, when using iOS's Personal Hotspot," he concludes.

Kurtz, Freiling and Metz also advise avoiding default passwords in a summary of their research that explains why been able to crack passwords quickly is important to potential attackers.

"As it is always good advice to replace initial default passwords by user-defined strong and secure passwords, this becomes particularly relevant on mobile hotspots passwords," they conclude. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.