A group of researchers in Germany found that it’s incredibly easy to predict the default passwords iOS generates for mobile hotspots on the iPhone and iPad.
According to a recently published paper the researchers from University of Erlangen found that Apple uses an open-source Scrabble dictionary and a few random numbers to generate hotspot passwords for iOS devices. The revelation explains why all iOS Wi-Fi passwords are just a short word and a few numbers.
The problem with Apple’s method is the researchers were able to crack the generated passwords relatively quickly. Using a GPU cluster with four AMD Radeon HD 7970s the researchers were able to crack any generated iPhone hotspot password in just 50 seconds.
It’s doubtful that hackers will carry around GPU clusters such as the one the researchers used. The paper warns, however, that with cloud computing anyone can access similar resources easily. Theoretically anyone could hack into any iOS Wi-Fi hotspot with a generated password in less than one minute.
The researchers criticize Apple’s approach along with any similar approaches for generating passwords that other companies use. The generated passwords are easy to remember, but that isn’t necessary for hotspot passwords. Once users input a password on their device, it will remember the network’s password, eliminating the need for an easy-to-remember password.
Thankfully, the Wi-Fi hotspot password is easy to change on the iPhone and other iOS device. To change it users just have to go to Personal Hotspot in Settings and tap on the Wi-Fi password. Users can then change the password to anything they want. Remember that iOS always will always show the password on-screen, so there’s no need to make the password something easy to remember.
While the researchers only tested their ability to crack iPhone Wi-Fi passwords, they noted issues with other platforms saying:
Default passwords in Windows Phone 8 consist of only eight-digit numbers. As this results in a search space of 108 candidates, attacks on Windows-based hotspot passwords might be practicable. Moreover, while the official version of Android generates strong passwords, some vendors modified the wi-fi-related components utilised in their devices and weakened the algorithm of generating default passwords.