back to article Tethered and vulnerable: Hotspot password FAIL not just in iPhones

The recent discovery that Apple's iOS hotspot passwords are readily crackable in under 50 seconds is part of a wider problem involving other smartphone platforms, claim researchers. As recently reported by El Reg and others, a team of security researchers discovered from the University of Erlangen, Germany discovered that …


This topic is closed for new posts.
  1. nsld

    one of the problems of selling to a non tech end user

    Is that you need to keep stuff really simple.

    And this is the end result.

    1. Waspy
      Paris Hilton

      Re: one of the problems of selling to a non tech end user

      You say Android has weak hotspot password generator? Oh no, I've not got one of those, I've got a Samsung Galaxy.

      What's a hotspot?

      1. Test Man
        Thumb Down

        Re: one of the problems of selling to a non tech end user

        What's a hotspot not?

        Not a good spot.

      2. Anonymous Coward
        Anonymous Coward

        Re: one of the problems of selling to a non tech end user

        Actually, I have an old Sony Xperia X10 mini pro, and that's even safer on account of not having a personal hotspot facility at all. As it mainly lives in a box as a backup phone I've never bothered to find one either..

  2. David Knapman

    I'm not sure it counts as brute force

    When it takes less than a minute. Maybe it could be described as "delicate force"

    1. Steve Knox

      Re: I'm not sure it counts as brute force

      Punching someone in the face only takes a second. When you're using a ring of GPUs to do your cracking, that's brute force.

      The question is, how useful is it? Are smartphone hotspots usually used as temporary access points, as they were designed to be, or is there a lot of de facto infrastructure being built with them?

      If I'm creating a hotspot to use for a few hours, and the next time I do it will be at a different time in a different place with a new password, there's not much opportunity here -- unless you want to lug a powerful workstation around, following smartphone owners around in the hopes that they'll decide to do some tethering.

      But if users are creating these hotspots and keeping them open for days or more without changing the password, then there's some risk -- about the same risk as that posed by all the public wifi networks out there.

      1. Irongut

        Re: I'm not sure it counts as brute force

        It's only for a few hours so you don't think there's a risk? Who is going to follow smartphone owners around with a powerful workstation?

        You can get laptops with quite powerful GPUs on board and I'm sure it would be possible to pass some of the processing off to AWS or Azure negating the need for any local GPU resources. I'm betting a lot of the time people use personal hotspots is in airports and train stations. Sitting there using a laptop for hours is not going to arouse suspicion and would enable the hacker to connect to a lot of hotspots.

        It takes less than a minute to crack the password. Then all it takes is for you to check your email and they can get that password or steal a session cookie. From there it's all over. While you are on your flight or train they can be resetting your online banking password, opening credit cards in your name and whatever else they want to do.

  3. Wam

    Reasonable Default (if I keep it)

    I have been offered 12 random hex digits by my Galaxy S3 as a default hotspot key - but I can change it to Pa55w0rd if I so choose ....

    1. breakfast Silver badge

      Re: Reasonable Default (if I keep it)

      It's a well known fact that if you want to be able to remember your password you should always use "********".

  4. Simon Harris

    default passwords consisting of ... 1234567890

    Damn - I was going to use that password!

    1. Anonymous Coward
      Anonymous Coward

      Re: default passwords consisting of ... 1234567890

      Now I need to change the combination on my air-shield. Damn you President Scroob!

      <- Anon to prevent the Spaceballs from attacking my planet.

  5. Lee D Silver badge

    "Using a default password".

    You're an idiot. Don't. Set one yourself, don't rely on things to do it for you (and turn off all that WPS junk that does the same because it has the same kind of weaknesses).

    Additionally, if someone really wants to spend 100 days brute-forcing your key, or use dozens of GPU's to do so, then you do need to think a little more carefully about what you're setting up in the first place. I.e. don't trust the wireless network at all and use a proper VPN setup - something which is stupidly cheap nowadays and is pretty much unbreakable. (Hint: VPS with OpenVPN for those with a brain, hosted OpenVPN service for those without).

    "Anyone who knows your WPA key"

    Game over. Before you start. Of course they can decrypt your communications, or just pretend to be the AP you're looking for.

    DON'T TRUST WIFI NETWORKS. Trust your encrypted, authenticated, verifiably-unbreakable layer that lays over the top of whatever communications medium you have for virtually ZERO overhead on a modern machine.

    1. Don Jefe

      You are correct but you are preaching to the choir. The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device. It is not an issue of hardware choice or fandom, it is the age old 'the user is the problem' problem.

      1. Anonymous Coward 101

        "The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device."

        And what is the likelihood of somebody nearby deciding to perform a brute force attack on ones WiFi tethering password? It will happen, of course, but is this something the average person must be concerned about as a practical threat?

  6. Pascal Monett Silver badge

    "If Apple was using words from this list in combination with a four digit number (which multiples the range of possible combinations by 10,000) then they were using a range of just 52 million possible passphrases."

    I have a problem here. For me, 52,000 x 10,000 = 520,000,000, not 52,000,000

    Anyone care to double-check ?

  7. jai

    wrong target audience?

    this is, readers of this website are more than likely to be fully aware of the importance of setting your own, strong password.

    so why are we reading this story?

    the types of people who need to hear this are the non-techie types. i'm not really sure they're likely to ever need to set up a personal hotspot. they'll just wait until they get home.

  8. Piro Silver badge


    Who would leave their hotspot running on their phone for long enough for it to be targeted anyway?

    Seriously, it drains battery fast, always shows up in the notification area so you can't forget...

    Just use a non-default password and only turn it on when you need it..

    It's not like this is a story about passwords on routers being predictable (although that has happened too!).

    1. Don Jefe

      Re: Non-story

      Convenience. You're talking about a consumer market that wants it now they don't want to fiddle with settings everytime. It is answering those calls to convenience that make a product a best seller, it is also what causes security holes like this.

      Customer demands are often insane and nearly impossible to implement at a given price point. There's an old saying 'business is great, except for the damn customers', it applies here.

  9. M Gale

    Huh, I thought WPA2 fixed the little "sniff one packet and spend a week busting the key at lightning speed" bug that was in WPA?

    Of course I could be wrong. Of course, some people still set their access points up as WEP, which really is game over before you even start.

    1. Irongut

      Nothing wrong with the WiFi security it's the stupid, predictable default passwords that are the issue.

      You can have the best security in the world but, as the NSA can attest, if the password is 1234 then someone is going to walk with all your secrets!

  10. Ian 55

    Isn't about time the death penalty was introduced for writing this sort of code?

    The password generation bits, not the cracking ones.

  11. h3

    Does Eadon work for the register now then ? (Title looks exactly like one he might have used). Perhaps Eadon was the alter ego of the article submitter.

    1. Anonymous Coward
      Anonymous Coward

      They DID hire him!

      Eadon is now Chief Windows Trollmaster as they needed someone to help increase traffic on the comments pages

  12. heyrick Silver badge

    Hotspot on my phone? No thanks!

    Both my Xperias (Mini Pro (not X10) and U) offer hotspot functions. Dead easy to use. The problem is when you connect a WWindows machine to the internet - a lot of things think it is a free-for-all when it comes to data. Are there updates? Should something be downloaded? Windows itself and the antivirus are the worst offenders, but every so often Firefox tells me if stuff has been updated, blah blah.

    On WiFi, it's no big deal. On mobile comms, it is unncessary deductions from the monthly allocation. I played with the hotspot function once, but really, there's practially nothing I can't do on my phone and should something not be possible on the phone, I can wait until I'm back on WiFi...

    That said, it seems as if the basic advice is "use a good password" and not the defaults. Duh.

    1. M Gale

      Re: Hotspot on my phone? No thanks!

      Well, right now and for whatever reasons, my phone company is my ISP. The hotspot feature is not only useful, but essential.

      As is an unlimited traffic allowance that actually means unlimited.

This topic is closed for new posts.

Other stories you might like