Let's be quite clear that the NSA didn't demand that brute-forcing the password was tractable. No siree!
Apple's screw-up leaves tethered iPhones easily crackable
iPhones being used as Wi-Fi hotspots are open to attack because of lax security protocols in the automatic password generation system Apple has in place, according to new research from the University of Erlangen in Germany. The paper, "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile …
-
-
Tuesday 18th June 2013 18:24 GMT LarsG
So other than being hacked without knowing about it by the NSA, you'd need to be in the vicinity of the person and their hotspot, load up your laptop or desktop that has top graphics card and then hang around for around an hour to crack the password having downloaded a dictionary.
However wouldn't using other symbols and numbers or none words make life a lot harder and negate the use of the dictionary?
-
-
Tuesday 18th June 2013 21:23 GMT LarsG
Re: stop reading a bit early, did we?
Actually no, It was a facetious (flippant) comment that crops up from time to time here.
You need to chill and put your less serious head on, and don't forget to watch out for someone sitting behind you with a desktop gaming rig the next time you sip your latte in Starbucks.
I despair I really do, where has the humour gone?
I'm not even going to downvote you because frankly it's not worth the effort.
Gosh I've just realised, you are American are you not, that explains it.
-
-
-
-
Tuesday 18th June 2013 18:12 GMT Gordon 10
Confuzzled
Last time I checked my hotspot password was user specifiable which means the bulk of this work is irrelvant and its more likely to be the users cat or similar which will be a completely different problem shape depending on whether its a proper name (charlie) or slang (Fido/moggy/puss) or T0pC@t
-
-
Tuesday 18th June 2013 19:30 GMT Duncan Macdonald
Re: @gordon10 - Apple Users - Smart People ???
This article talks about Apple iPhones. Many users of iPhones do not even realise that their phones have a computer inside and have zero idea about security - they will use the defaults. (If the iPhone had a default password of "password" you would probably find 50% or more still with that password.)
-
-
Wednesday 19th June 2013 07:52 GMT Anonymous Coward
Re: @gordon10...Smart people don't keep the default password for their hotspots.
Oh dear, Apple users not intelligent AdHominem logical fallacy rises again.
I use Apple kit because it just works, I don't want to spend my spare time fiddling with my phone to get it to do stuff, I don't do this with my washing machine or my TV so why do it with my phone or my tablet? The time I save on messing with my phone I can use for having grown up bedtime fun with my wife.
Incidentally, my IQ scores in the 99.5 centile on a standard Cattel test, this does indicate that this apple user does exhibit a great deal of intelligence as defined by standard methods of measurement.
Awaits the down votes from the trolls.
-
Wednesday 19th June 2013 08:08 GMT TeeCee
Re: @gordon10...Smart people don't keep the default password for their hotspots.
I use Apple kit because it just works, I don't want to spend my spare time fiddling with my phone to get it to do stuff...
So a typical Apple buyer then?
Hint: "fiddling with" it would include delving into the configuration to manually specify a hotspot password rather than letting "it just work" one out for you. Way to shoot your own argument full of holes!
-
Wednesday 19th June 2013 09:24 GMT Anonymous Coward
Re: @gordon10...Smart people don't keep the default password for their hotspots.
@TeeCee. No, I don't use the personal hotspot functionality. I don't see the point of using my phone as a wifi hotspot for my tablet or laptop when I went for the rather more secure option of purchasing a MiFi device, hiding the SSID and setting the access passphrase to a randomly generated long string.
Like I said, I see no point fiddling with my phone to make it do stuff that other devices do better.
-
Saturday 29th June 2013 10:39 GMT SImon Hobson
Re: @gordon10...Smart people don't keep the default password for their hotspots.
>>... hiding the SSID ...
You should unhide it for security.
If it is hidden (ie the access point doesn't broadcast beacon packets saying "I'm here") then the devices with a stored association with it will constantly broadcast "Are you there ?" packets looking for it - all the time they aren't connected to it. This happens because the only way for them to find your AP is to ask if it's there - rather than just silently listening for it's broadcasts.
Thus, by hiding the SSID, you change the target from "broadcasts information while the AP (your MiFi) is turned on" to "all your devices with stored connections to it broadcast the information all the time they are turned on".
As a side effect, it also means your devices are more active (sending these "are you there ?" packets) which impacts on battery life and also clogs up the available bandwidth.
-
-
-
-
-
-
-
-
Tuesday 18th June 2013 20:09 GMT Anonymous Coward
Re: eight-digit number strings
No. It is a string constructed from the digits 0-9.
If their random password generated the int 123456 then the password string would be "00123456". You might argue that that is simply the int padded with zeros, but an integer has no concept of padding and would consider 00123456 to be exactly the same as 123456 in a comparison.
-
This post has been deleted by its author
-
Tuesday 18th June 2013 23:08 GMT Andrew Hodgkinson
Major facepalm
Judging by the comments thus far, people don't know what a hotspot is. Which is hard to believe. So, one assumes a major reading comprehension fail.
This is talking about *tethering* - when the phone is set up as a WiFi hotspot; a gateway to its mobile data service. This is of course disabled by default on all smartphones (due to the major battery hit) and not even allowed by some carriers.
On the iPhone, when this is explicitly activated by the user in the Settings app, a pseudorandom password is presented to the user so that their other device can connect to the new WiFi hotspot without too much hassle. It's quite short, because the user has to read it on their phone's screen, then type it into their laptop or other device. Sounds like it's not pseudorandom enough!
Since the password verification for WiFi is done at the CONNECTING DEVICE, the iPhone has no idea that someone has tried to crack the password 10,000 times. That's arguably a basic design deficiency in WiFi (if the source of the WiFi hotspot were itself responsible for checking and validating the password before granting access, there would be the opportunity to block such attacks).
Meanwhile, whenever anyone is connected to the iOS hotspot, a permanent glowing bright blue status bar shows them the running tally of connected devices. So at least there is an opportunity for the user to see that more than one device is connected, though yes, it's unlikely most people would be paying attention to their phone's screen rather than their other, connected device's screen. I don't know if there are equivalent, prominent indicators on other popular mobile operating systems.
-
Wednesday 19th June 2013 07:58 GMT Pascal Monett
Um, not to be contradictory or anything, but if I look at my Android settings panel under Wifi, I see that I can have a tethered hotspot, and an untethered one.
As far as I know, a tethered hotspot is only valid for the device that is physically wired to it. The untethered hotspot would be the vulnerable party here.
So I guess that my question is : does Apple have a different definition for the word "tethered" ?
-
This post has been deleted by its author
-
-
Wednesday 19th June 2013 10:22 GMT Robert Carnegie
Verified at the connecting device? Oh dear.
Is that right?
Oh well - anyway, if we're talking about WPA2 PSK, then the specification is a key of 256 bits, i.e. 32 fully random bytes, 64 hex characters or between 8-63 "printable ASCII (American English) characters" according to
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Security
that are hashed into the 256 bits key. Again, as random as you like.
Mine (not Apple) is about 20 fairly random decimal digits and some punctuation characters. Obviously it could be a lot randomer as well - but it's better than "aword745632". About a million times better, so it's going to take my neighbours 24 million seconds to crack me... hmm, that's nine months. Possible. Uh-oh.
I'm a bit worried too about letting network users get at files on the phone, but, on reflection, it probably isn't all of the files. And if I put a micro SD card into my Huawei Mi-Fi hotspot, then it would have files to share, too. But I think you might need ae!nother password to get into the file server.
-
Wednesday 19th June 2013 14:07 GMT Matt_payne666
Re: Major facepalm
I must agree with you here... the tethering is such a niche setting and the number of devices - iOS, blackberry, WM, Android, etc that will be broadcasting are pretty minimal... at least in the UK tethering is a costly addition with the option removed from any iOS device that doesn't support it...
My tether password is incredibly simple - for the reasons 1) tethering is automatically turned off if inactive for a few minutes 2) I have a display showing how many devices are connected 3) its only turned on to perform a particular task before being switched off again 4) the tether password is shown in plain text on the tether screen...
for those reasons I don't need to waste my life remembering another case sensitive, alphanumeric code....
If someone happens to find, connect, hack and break into my phone in that period of time, then good luck to them!
-
-
-
-
Wednesday 19th June 2013 08:37 GMT NightFox
Re: 0118 999 881 999 119 7253
Glad I'm not the only one to have 01 811 8055 etched into the deeper recesses of my mind by endless hours of laboriously and repetitively dialling it on a rotary dial telephone every Saturday morning for more years than I care to remember. Only ever got through once, only to find I was on a crossed line with another caller and got cut straight off again.
-
-
-
Wednesday 19th June 2013 09:28 GMT Velv
No different from almost every piece of consumer wireless kit I've ever seen. They all come with a default password, it's usually on a sticker on the bottom, and it's not usually more than eight characters.
So the problem isn't the iPhone, it's the fact that the vast majority of users aren't aware of the risks of not changing it (or that it even exists).
Even if you do change it (say to a 40 character seemingly random non dictionary mix of upper, lower, symbols and numbers), most users will then rely on Wireless Protected Setup (WPS) to make adding new devices easy. And WPS can be cracked quicker than the default passwords being attacked here.
-
-
Wednesday 19th June 2013 11:55 GMT Anonymous Coward
"does stealing it allow a man-in-the-middle attack?"
I'm not up on the way WPA2-PSK works, but don't you just create a competing AP with the same SSID and password, allow internet access and then capture the traffic with Wireshark (or feed it into a proxy that sends certain financially themed websites to a dummy server you set up to steal their logons).
-