{"id":2676,"date":"2013-06-21T10:00:30","date_gmt":"2013-06-21T14:00:30","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2676"},"modified":"2013-06-21T10:00:30","modified_gmt":"2013-06-21T14:00:30","slug":"researchers-crack-ios-generated-hotspot-passwords-in-24-seconds","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/06\/21\/researchers-crack-ios-generated-hotspot-passwords-in-24-seconds\/","title":{"rendered":"Researchers crack iOS-generated hotspot passwords in 24 seconds"},"content":{"rendered":"

\"\"<\/a><\/p>\n

If you’re an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested by iOS, now is definitely a good time. German researchers have discovered (pdf) the passwords iOS issues can be easily predicted, allowing them to be cracked in as little as one minute using consumer hardware.
\nThe algorithm iOS uses to generate hotspot keys takes a dictionary word, adds a couple of numbers and voila — an easily memorable password is born. The problem though, is despite the endless variety of words available in the English language, iOS draws its password inspiration from a narrow selection of just 1,842 words.
\nThe second issue is certain words appear several times more frequently than other words. For example, out of nearly 2,000 words, “suave” had a 1-in-125 chance of being used. Meanwhile, “macaws” — the tenth most-likely word to be used — appeared 1-in-345 times. Knowing iOS’ preferred word selection allows brute force crackers to start with the most common ones first, further reducing the time needed.
\nA PC armed with a Radeon HD 6990 GPU was able to crack the average iPhone hotspot in 52 seconds while four Radeon HD 7970s yielded an average of just 24 seconds. GPUs are favored amongst crackers for their ability to perform massively parallell computations.
\nAlthough researchers revealed how easily an iOS-generated hotspot password can be brute forced, other exploits like attacking iOS’ PSK authentication method help to facilitate the process. Because handheld devices aren’t equipped with high-end GPUs, researchers even discussed offloading the computational work to a cloud-based service like CloudCracker for cracking hotspots on-the-go.
\nOf course, Apple doesn’t have a monopoly on devices with easily cracked hotspot passwords. Windows Phone and some Android handsets don’t fare much better.
\nWindows Phone, for example, auto-generates hotspot passwords consisting of eight numbers. This means you already know what the password could be, making Windows Phone susceptible to brute force attacks. More research may reveal an additional weakness though, which could narrow that selection of 10^8 possibilities down to something even more tractable.
\nMeanwhile, Android’s default password generator conjures sufficiently strong passwords, but some vendors have taken the liberty of greatly reducing its effectiveness. “Android-based models of the smartphone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890)” researchers noted.
\nWhen boiled down to its nuts and bolts though, the moral of this story is probably this: always create your own passwords, provided you follow some of the basic principles for creating strong ones.
\nvia Researchers crack iOS-generated hotspot passwords in 24 seconds – TechSpot<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you’re an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[6,7],"tags":[65,84,235,416,549,555,559,1204,1230],"class_list":["post-2676","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","tag-android","tag-apple-2","tag-cracked","tag-germany","tag-ios","tag-ipad","tag-iphone","tag-wi-fi","tag-windows-phone"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Ha","jetpack-related-posts":[{"id":2971,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/17\/tumblr-tells-users-to-change-passwords-patches-security-hole-in-ios-apps\/","url_meta":{"origin":2676,"position":0},"title":"Tumblr tells users to change passwords, patches security hole in iOS apps","author":"NCCT","date":"July 17, 2013","format":false,"excerpt":"Tumblr, the blogging site recently acquired by Yahoo, has released a security update for its iPhone and iPad apps that it said addresses an issue that allowed passwords to be compromised in certain circumstances. Users of the apps have been advised to update their passwords on Tumblr as there is\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5724,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/12\/its-official-malicious-hackers-have-crappy-password-hygiene-too\/","url_meta":{"origin":2676,"position":1},"title":"It\u2019s official: Malicious hackers have crappy password hygiene, too","author":"NCCT","date":"June 12, 2014","format":false,"excerpt":"Given the amount of time malicious hackers spend bypassing other people's security, you might think that they pay close attention to locking down their own digital fortresses. It turns out that many of them don't, according to a recent blog post documenting some of their sloppiest password hygiene. The post\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/sewer-640x480.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":6833,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/12\/ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps\/","url_meta":{"origin":2676,"position":2},"title":"iOS security hole allows attackers to poison already installed iPhone apps","author":"NCCT","date":"November 12, 2014","format":false,"excerpt":"Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data. The \"Masque\" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/11\/masque-attack-example-640x613.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":2676,"position":3},"title":"Slap and Flop – Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":7085,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/12\/apple-ios-8-1-2-fixes-an-issue-with-disappearing-ringtones\/","url_meta":{"origin":2676,"position":4},"title":"Apple iOS 8.1.2 fixes an issue with disappearing ringtones","author":"NCCT","date":"December 12, 2014","format":false,"excerpt":"Apple\u2019s fifth patch for iOS 8 is now live. iOS 8.1.2 is said to address an issue in which ringtones purchased through iTunes were unexpectedly disappearing from devices. The update is also said to include various bug fixes although Apple didn\u2019t outline what specifically those were. The company\u2019s security update\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":2676,"position":5},"title":"Researchers manage to get malware published in Apple's iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2676"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2676\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}