{"id":2676,"date":"2013-06-21T10:00:30","date_gmt":"2013-06-21T14:00:30","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2676"},"modified":"2013-06-21T10:00:30","modified_gmt":"2013-06-21T14:00:30","slug":"researchers-crack-ios-generated-hotspot-passwords-in-24-seconds","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/06\/21\/researchers-crack-ios-generated-hotspot-passwords-in-24-seconds\/","title":{"rendered":"Researchers crack iOS-generated hotspot passwords in 24 seconds"},"content":{"rendered":"

\"\"<\/a><\/p>\n

If you’re an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested by iOS, now is definitely a good time. German researchers have discovered (pdf) the passwords iOS issues can be easily predicted, allowing them to be cracked in as little as one minute using consumer hardware.
\nThe algorithm iOS uses to generate hotspot keys takes a dictionary word, adds a couple of numbers and voila — an easily memorable password is born. The problem though, is despite the endless variety of words available in the English language, iOS draws its password inspiration from a narrow selection of just 1,842 words.
\nThe second issue is certain words appear several times more frequently than other words. For example, out of nearly 2,000 words, “suave” had a 1-in-125 chance of being used. Meanwhile, “macaws” — the tenth most-likely word to be used — appeared 1-in-345 times. Knowing iOS’ preferred word selection allows brute force crackers to start with the most common ones first, further reducing the time needed.
\nA PC armed with a Radeon HD 6990 GPU was able to crack the average iPhone hotspot in 52 seconds while four Radeon HD 7970s yielded an average of just 24 seconds. GPUs are favored amongst crackers for their ability to perform massively parallell computations.
\nAlthough researchers revealed how easily an iOS-generated hotspot password can be brute forced, other exploits like attacking iOS’ PSK authentication method help to facilitate the process. Because handheld devices aren’t equipped with high-end GPUs, researchers even discussed offloading the computational work to a cloud-based service like CloudCracker for cracking hotspots on-the-go.
\nOf course, Apple doesn’t have a monopoly on devices with easily cracked hotspot passwords. Windows Phone and some Android handsets don’t fare much better.
\nWindows Phone, for example, auto-generates hotspot passwords consisting of eight numbers. This means you already know what the password could be, making Windows Phone susceptible to brute force attacks. More research may reveal an additional weakness though, which could narrow that selection of 10^8 possibilities down to something even more tractable.
\nMeanwhile, Android’s default password generator conjures sufficiently strong passwords, but some vendors have taken the liberty of greatly reducing its effectiveness. “Android-based models of the smartphone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890)” researchers noted.
\nWhen boiled down to its nuts and bolts though, the moral of this story is probably this: always create your own passwords, provided you follow some of the basic principles for creating strong ones.
\nvia Researchers crack iOS-generated hotspot passwords in 24 seconds – TechSpot<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you’re an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[6,7],"tags":[65,84,235,416,549,555,559,1204,1230],"class_list":["post-2676","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","tag-android","tag-apple-2","tag-cracked","tag-germany","tag-ios","tag-ipad","tag-iphone","tag-wi-fi","tag-windows-phone"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Ha","jetpack-related-posts":[{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":2676,"position":0},"title":"Slap and Flop – Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":2676,"position":1},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9472,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/12\/30\/our-years-best-this-week-in-tech-699\/","url_meta":{"origin":2676,"position":2},"title":"Our Year’s Best – This Week in Tech 699","author":"NCCT","date":"December 30, 2018","format":false,"excerpt":"https:\/\/youtu.be\/gz77WILat9o The Best of TWiT from 2018! Host: Leo Laporte","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/gz77WILat9o\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9307,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/03\/11\/this-week-in-tech-657-dadgum-cell-phone\/","url_meta":{"origin":2676,"position":3},"title":"This Week in Tech 657: DadGum Cell Phone","author":"NCCT","date":"March 11, 2018","format":false,"excerpt":"https:\/\/youtu.be\/KGrJJj_8YHU SXSW features killer robots and killer barbeque. Alexa's spontaneous laugh makes us afraid of an AI takeover. Amazon wants to take over your checking account. Can blockchain reinvent fintech? Android users more loyal than iOS users. Is AI really all that smart? Apple hires M. Night Shyamalan. Millennials love\u2026","rel":"","context":"In "Social Media"","block_context":{"text":"Social Media","link":"https:\/\/nccomputertech.com\/techtalk\/category\/social-media\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/KGrJJj_8YHU\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":2676,"position":4},"title":"Are Passwords Immortal? – Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9432,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/12\/ravioli-for-the-recount-this-week-in-tech-692\/","url_meta":{"origin":2676,"position":5},"title":"Ravioli for the Recount – This Week in Tech 692","author":"NCCT","date":"November 12, 2018","format":false,"excerpt":"https:\/\/youtu.be\/JXOWXzYDumg - Apple's new iPad Pro is not the future of Apple, but it does point to it. - Alibaba sells $1 billion in the first 85 seconds of Singles Day. - Tech doomsayer says that the vast majority of people will soon be \"The Useless Class.\" - 22% of\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/JXOWXzYDumg\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2676"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2676\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}