back to article Apple's screw-up leaves tethered iPhones easily crackable

iPhones being used as Wi-Fi hotspots are open to attack because of lax security protocols in the automatic password generation system Apple has in place, according to new research from the University of Erlangen in Germany. The paper, "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    Let's be quite clear that the NSA didn't demand that brute-forcing the password was tractable. No siree!

    1. LarsG

      So other than being hacked without knowing about it by the NSA, you'd need to be in the vicinity of the person and their hotspot, load up your laptop or desktop that has top graphics card and then hang around for around an hour to crack the password having downloaded a dictionary.

      However wouldn't using other symbols and numbers or none words make life a lot harder and negate the use of the dictionary?

      1. JDB
        FAIL

        stop reading a bit early, did we?

        "This cut the time to crack automatically generated passwords down to 24 seconds, or 52 using a single AMD Radeon HD 6990 GPU."

        1. LarsG

          Re: stop reading a bit early, did we?

          Actually no, It was a facetious (flippant) comment that crops up from time to time here.

          You need to chill and put your less serious head on, and don't forget to watch out for someone sitting behind you with a desktop gaming rig the next time you sip your latte in Starbucks.

          I despair I really do, where has the humour gone?

          I'm not even going to downvote you because frankly it's not worth the effort.

          Gosh I've just realised, you are American are you not, that explains it.

  2. Gordon 10
    FAIL

    Confuzzled

    Last time I checked my hotspot password was user specifiable which means the bulk of this work is irrelvant and its more likely to be the users cat or similar which will be a completely different problem shape depending on whether its a proper name (charlie) or slang (Fido/moggy/puss) or T0pC@t

  3. JeffyPooh
    Pint

    You'd think after maybe the 10,000th incorrect password attempt...

    You'd think that maybe the OS would just ignore the correct password - just out of pure spite...

    1. jonathanb Silver badge

      Re: You'd think after maybe the 10,000th incorrect password attempt...

      I don't think it is trying the passwords out on the system. There is no way you could do that many log-on attempts in 24 seconds, and additional GPUs wouldn't help you.

    2. Anonymous Coward
      Anonymous Coward

      Re: You'd think after maybe the 10,000th incorrect password attempt...

      or like VMS used to do (or still does), after n-attempts, it just ignores them for some random amount of time, then starts listening again, repeat forever .... or depending on setup, simply locks the account in question.

      1. Alan Brown Silver badge

        Re: You'd think after maybe the 10,000th incorrect password attempt...

        Or linux, if you enable that level of paranoia.

      2. Lars
        Linux

        Re: You'd think after maybe the 10,000th incorrect password attempt...

        Possible on nix systems too. On SCO the default was nine with was too low for many users and had to be increased.

      3. Dazed and Confused

        Re: You'd think after maybe the 10,000th incorrect password attempt...

        > or like VMS used to do (or still does), after n-attempts, it just ignores them for some

        Ultrix was doing this before VMS, I remember thinking that was a neat feature when we installed our 11/780 with Ultrix 1.0.

    3. Anonymous Coward
      Anonymous Coward

      Re: You'd think after maybe the 10,000th incorrect password attempt...

      My guess is that they either capture data encrypted with the password or make a login attempt to generate the data and then use the password cracker software on the encrypted data until it decrypts correctly.

  4. alisonken1
    FAIL

    @gordon10

    as noted, this article specifies the _default_ password generation that most people will use. Smart people don't keep the default password for their hotspots.

    1. Duncan Macdonald

      Re: @gordon10 - Apple Users - Smart People ???

      This article talks about Apple iPhones. Many users of iPhones do not even realise that their phones have a computer inside and have zero idea about security - they will use the defaults. (If the iPhone had a default password of "password" you would probably find 50% or more still with that password.)

    2. Fatman

      Re: @gordon10...Smart people don't keep the default password for their hotspots.

      These are Apple (l)users, it is unrealistic to expect any intelligence from them.

      They just want their iShit to work, that's all.

      1. Anonymous Coward
        Anonymous Coward

        Re: @gordon10...Smart people don't keep the default password for their hotspots.

        Oh dear, Apple users not intelligent AdHominem logical fallacy rises again.

        I use Apple kit because it just works, I don't want to spend my spare time fiddling with my phone to get it to do stuff, I don't do this with my washing machine or my TV so why do it with my phone or my tablet? The time I save on messing with my phone I can use for having grown up bedtime fun with my wife.

        Incidentally, my IQ scores in the 99.5 centile on a standard Cattel test, this does indicate that this apple user does exhibit a great deal of intelligence as defined by standard methods of measurement.

        Awaits the down votes from the trolls.

        1. TeeCee Gold badge
          Facepalm

          Re: @gordon10...Smart people don't keep the default password for their hotspots.

          I use Apple kit because it just works, I don't want to spend my spare time fiddling with my phone to get it to do stuff...

          So a typical Apple buyer then?

          Hint: "fiddling with" it would include delving into the configuration to manually specify a hotspot password rather than letting "it just work" one out for you. Way to shoot your own argument full of holes!

          1. Anonymous Coward
            Anonymous Coward

            Re: @gordon10...Smart people don't keep the default password for their hotspots.

            @TeeCee. No, I don't use the personal hotspot functionality. I don't see the point of using my phone as a wifi hotspot for my tablet or laptop when I went for the rather more secure option of purchasing a MiFi device, hiding the SSID and setting the access passphrase to a randomly generated long string.

            Like I said, I see no point fiddling with my phone to make it do stuff that other devices do better.

            1. SImon Hobson Bronze badge

              Re: @gordon10...Smart people don't keep the default password for their hotspots.

              >>... hiding the SSID ...

              You should unhide it for security.

              If it is hidden (ie the access point doesn't broadcast beacon packets saying "I'm here") then the devices with a stored association with it will constantly broadcast "Are you there ?" packets looking for it - all the time they aren't connected to it. This happens because the only way for them to find your AP is to ask if it's there - rather than just silently listening for it's broadcasts.

              Thus, by hiding the SSID, you change the target from "broadcasts information while the AP (your MiFi) is turned on" to "all your devices with stored connections to it broadcast the information all the time they are turned on".

              As a side effect, it also means your devices are more active (sending these "are you there ?" packets) which impacts on battery life and also clogs up the available bandwidth.

        2. Blitterbug
          Meh

          Re: Incidentally, my IQ scores...

          ...stopped reading here. How toe-curlingly embarrassing. I feel a kind of deep pity tinged with horror.

          1. Anonymous Coward
            Anonymous Coward

            Re: Incidentally, my IQ scores...

            @Blitterbug. We feed on your pity, but the horror you feel is however unfounded. We will be coming with your turtle neck sweater and whole range of alt med treatments soon.

  5. MrXavia
    Facepalm

    You mean people don't choose their own passwords anymore?

    surely just enforcing a user chosen password of 8+ characters would be sufficient to stop this kind of attack?

    1. h3

      RE: MrXavia

      No it wouldn't people would just use password or 1111111111 making it even worse.

      1. Yet Another Anonymous coward Silver badge

        Re: RE: MrXavia

        I'm surprised the defualt password list isn't just: "steve","jobs", "turtleneck", "shiny","rounded","corners"

    2. imaginarynumber

      My Windows phone asked me to "create" my own password. I don't recall it selecting one for me.

  6. R Soles

    Huh?

    In addition to the point about the user being able to set their own - longer, randon - passwords, you can also tether over usb or bluetooth, the first of which renders this article meaningless, the second means the attacker would have to be sitting at the next table, or closer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      So what you are saying then is that because there exists a more secure method there is no need to worry about this issue.

  7. Shagbag

    eight-digit number strings

    Surely ints, not strings.

    1. Anonymous Coward
      Anonymous Coward

      Re: eight-digit number strings

      No, strings is correct because the data which are passed are a string. That string may contain only number representing characters, but that doesn't make it an int.

    2. Anonymous Coward
      Anonymous Coward

      Re: eight-digit number strings

      No. It is a string constructed from the digits 0-9.

      If their random password generated the int 123456 then the password string would be "00123456". You might argue that that is simply the int padded with zeros, but an integer has no concept of padding and would consider 00123456 to be exactly the same as 123456 in a comparison.

  8. This post has been deleted by its author

  9. Andrew Hodgkinson
    WTF?

    Major facepalm

    Judging by the comments thus far, people don't know what a hotspot is. Which is hard to believe. So, one assumes a major reading comprehension fail.

    This is talking about *tethering* - when the phone is set up as a WiFi hotspot; a gateway to its mobile data service. This is of course disabled by default on all smartphones (due to the major battery hit) and not even allowed by some carriers.

    On the iPhone, when this is explicitly activated by the user in the Settings app, a pseudorandom password is presented to the user so that their other device can connect to the new WiFi hotspot without too much hassle. It's quite short, because the user has to read it on their phone's screen, then type it into their laptop or other device. Sounds like it's not pseudorandom enough!

    Since the password verification for WiFi is done at the CONNECTING DEVICE, the iPhone has no idea that someone has tried to crack the password 10,000 times. That's arguably a basic design deficiency in WiFi (if the source of the WiFi hotspot were itself responsible for checking and validating the password before granting access, there would be the opportunity to block such attacks).

    Meanwhile, whenever anyone is connected to the iOS hotspot, a permanent glowing bright blue status bar shows them the running tally of connected devices. So at least there is an opportunity for the user to see that more than one device is connected, though yes, it's unlikely most people would be paying attention to their phone's screen rather than their other, connected device's screen. I don't know if there are equivalent, prominent indicators on other popular mobile operating systems.

    1. Pascal Monett Silver badge

      Um, not to be contradictory or anything, but if I look at my Android settings panel under Wifi, I see that I can have a tethered hotspot, and an untethered one.

      As far as I know, a tethered hotspot is only valid for the device that is physically wired to it. The untethered hotspot would be the vulnerable party here.

      So I guess that my question is : does Apple have a different definition for the word "tethered" ?

      1. This post has been deleted by its author

      2. NightFox

        On iOS the single tethering function covers WiFi, Bluetooth and USB, though obviously on WiFi tethering has this password issue (BT uses the standard pairing protocol)

    2. Robert Carnegie Silver badge

      Verified at the connecting device? Oh dear.

      Is that right?

      Oh well - anyway, if we're talking about WPA2 PSK, then the specification is a key of 256 bits, i.e. 32 fully random bytes, 64 hex characters or between 8-63 "printable ASCII (American English) characters" according to

      http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Security

      that are hashed into the 256 bits key. Again, as random as you like.

      Mine (not Apple) is about 20 fairly random decimal digits and some punctuation characters. Obviously it could be a lot randomer as well - but it's better than "aword745632". About a million times better, so it's going to take my neighbours 24 million seconds to crack me... hmm, that's nine months. Possible. Uh-oh.

      I'm a bit worried too about letting network users get at files on the phone, but, on reflection, it probably isn't all of the files. And if I put a micro SD card into my Huawei Mi-Fi hotspot, then it would have files to share, too. But I think you might need ae!nother password to get into the file server.

    3. Matt_payne666

      Re: Major facepalm

      I must agree with you here... the tethering is such a niche setting and the number of devices - iOS, blackberry, WM, Android, etc that will be broadcasting are pretty minimal... at least in the UK tethering is a costly addition with the option removed from any iOS device that doesn't support it...

      My tether password is incredibly simple - for the reasons 1) tethering is automatically turned off if inactive for a few minutes 2) I have a display showing how many devices are connected 3) its only turned on to perform a particular task before being switched off again 4) the tether password is shown in plain text on the tether screen...

      for those reasons I don't need to waste my life remembering another case sensitive, alphanumeric code....

      If someone happens to find, connect, hack and break into my phone in that period of time, then good luck to them!

  10. Anonymous Coward
    Anonymous Coward

    0118 999 881 999 119 7253

    So easy to remember, now sing along...

    1. Putters
      Coffee/keyboard

      Re: 0118 999 881 999 119 7253

      For some reason, read that and the number

      01 811 8055

      popped into my head.

      It will ring bells if you are uk based, old enough, and have an autistic streak when it comes to numbers (oh, and if your mum wouldn't let you watch that TisWas on ITV)

      1. NightFox
        Unhappy

        Re: 0118 999 881 999 119 7253

        Glad I'm not the only one to have 01 811 8055 etched into the deeper recesses of my mind by endless hours of laboriously and repetitively dialling it on a rotary dial telephone every Saturday morning for more years than I care to remember. Only ever got through once, only to find I was on a crossed line with another caller and got cut straight off again.

      2. Yet Another Commentard

        Re: 0118 999 881 999 119 7253

        Putters

        I remember it on the front of Noel's desk. I too was banned from Tiswas because Noel Edmunds was more "educational". This is the man who gave us Mr Blobby.

  11. DanBennett
    Thumb Up

    iOS7

    The password generator doesn't seem to follow that rule any longer in iOS 7.

  12. Richard 31
    Paris Hilton

    Hash DB

    With only 18420000 possible password in the default dictionary, you would think that you could just compile a DB of all the hashes and refer to that. It wouldn't even be all that huge.

  13. Velv
    FAIL

    No different from almost every piece of consumer wireless kit I've ever seen. They all come with a default password, it's usually on a sticker on the bottom, and it's not usually more than eight characters.

    So the problem isn't the iPhone, it's the fact that the vast majority of users aren't aware of the risks of not changing it (or that it even exists).

    Even if you do change it (say to a 40 character seemingly random non dictionary mix of upper, lower, symbols and numbers), most users will then rely on Wireless Protected Setup (WPS) to make adding new devices easy. And WPS can be cracked quicker than the default passwords being attacked here.

  14. Robert Carnegie Silver badge

    ...wait a minute.

    If this -is- the WPA2 PSK, does stealing it allow a man-in-the-middle attack? I mean, you already share it with all of the computers in your home. Does turning one of those evil also poison the Wi-Fi?

    1. Anonymous Coward
      Anonymous Coward

      "does stealing it allow a man-in-the-middle attack?"

      I'm not up on the way WPA2-PSK works, but don't you just create a competing AP with the same SSID and password, allow internet access and then capture the traffic with Wireshark (or feed it into a proxy that sends certain financially themed websites to a dummy server you set up to steal their logons).

  15. MacD4

    BlackBerry

    I'd like to know why, for equity, there was no inclusion of BlackBerry 7 or latest BlackBerry 10 devices in this test?

This topic is closed for new posts.

Other stories you might like