If you frequently use your iPhone as a wireless hotspot you might want to listen up: researchers from the Friedrich-Alexander University in Germany found that they were able to crack the default pre-shared key (PSK) authentication method in iOS 6 (and below) in 24 seconds. While users can always set their own pre-shared key, many mobile devices including the iPhone often propose a default one for the user. It's this default key that the researchers have issue with.
"We found out that hotspot default passwords consist of 4 to 6 characters, followed by a four-digit number," the researchers explained. "As this scheme enables only a very limited number of possible password combinations, the limited search space already makes the mobile hotspot feature of Apple susceptible to brute force attacks on the WPA handshake."
This is a huge problem. If someone gains access to your Internet connection you are responsible for the activities they perform while they're connected, the researchers warn, and it also exposes all of your phone data to hackers, and could enable them with the ability to install unauthorized software.
The group used the aforementioned brute force attacks, combined with an open-source Scrabble word list, to hack the passwords 100 percent of the time, though that method took about 49 minutes. The scientists then reverse engineered the method iOS uses to generate its passwords, which drastically eliminates the number of entries it needs to try in order to find a successful word match. It turns out that Apple only chooses one of 1,842 different words when it generates a mobile hotspot passwords, and using those words and the group's own custom hacking app, the researchers were able to crack a default iOS hotspot password in just 24 seconds. That method was on a computer with four AMD Radeon HD 7970 graphics processing units (GPUs). It took 52 seconds with a computer running a single AMD Radeon HD 6990 GPU and three minutes 18 seconds with two NVIDIA Tesla 2075 GPUs.
The most common words that are used include suave, subbed, headed, head, header, coal, ohms, coach, reach and macaws, and the researchers said those words are 10 times more likely to turn up in the password generation than any other words in the dictionary.
The group also tested Windows Phone 8 devices, which it said would be "practicable" to hack, and Android. They found that HTC devices that use a simple 1234567890 string by default are particularly insecure, but did not draw final conclusions on either platform.
Lesson learned? Set your own hotspot password, and make it a good one.
The Galaxy S20 Ultra's Space Zoom camera is amazing and a bit creepy
The Galaxy S20 Ultra supports up to 100X zoom, which Samsung calls Space Zoom, but is it any good? Can a phone really product usable photos at 100x zoom? We've got our Galaxy S20 Ultra already so join us to find out!
Win an iPhone, iPad and Apple Watch with the Reader's Choice giveaway!
What's the best phone of 2019? Is it the iPhone 11 Pro, Pixel 4 or OnePlus 7T? What about the best laptop, games console, tablet and more? Vote NOW in the Reader's Choice awards and win BIG in time for the holidays!
Here are the best products from IFA 2019!
Here are the products announced at IFA 2019 that were worthy of our Best of IFA 2019 awards. Also featuring MrMobile's single best product at the show!
Step into your favorite film with a pair of 3D glasses
Experience movies and video games in the most realistic way with a pair of 3D glasses. Our guide has the best to help you narrow down your choice.