Well, this is embarrassing. Researchers from the University of Erlangen-Nuremberg in Germany have figured out that the security provided in the iPhone’s Wi-Fi hotspot isn’t actually all that secure. In fact, they’ve shown that the randomly generated password that Apple provides can be cracked in under a minute.
We show that Apple iOS generates weak default passwords which makes the mobile hotspot feature of Apple iOS susceptible to brute force attacks on the WPA2 handshake. More precisely, we observed that the generation of default passwords is based on a word list, of which only 1,842 entries are taken into consideration. In addition, the process of selecting words from that word list is not random at all, resulting in a skewed frequency distribution and the possibility to compromise a hotspot connection in less than 50 seconds.
Basically, the list the passwords for protecting the iPhone’s mobile hotspot are drawn from is just too small. And the “randomly generated” passwords are not random enough, according to their findings, which makes the passwords incredibly easy to crack for someone who knows what they’re donig.
To be clear, it’s the Wi-Fi hotspot protection that has been found to be weak — not the main password for the iPhone. But it’s still a vital security concern: if someone can get into your internet connection, it can attack devices that are connected to it.
Apple did not immediately respond to a request for comment.
The report concerns Wi-Fi password security in iOS 6, so Apple has an opportunity to fix the problem before the public release of iOS 7 sometime this fall.
Don’t feel too smug if you’re using something other than an Apple device. The researchers note that the iPhone’s hotspot isn’t the only one at risk: “Spot tests show that other mobile platforms are also affected by similar problems.” That includes Windows 8, which by default uses only eight-digit passwords, and modified versions of Android: “[W]hile the ofﬁcial version of Android generates strong passwords, some vendors modiﬁed the Wi-Fi related components utilized in their devices and weakened the algorithm of generating default passwords.”