Auto-generated passwords for iPhone’s Wi-Fi Hotspot can be cracked in 50 seconds

iPhone’s “Personal Hotspot” lets you share your cellular data connection over Wi-Fi by creating a network that other devices can join. If you want to connect to the Wi-Fi Hotspot, then you may have noticed that you need to enter a password that is auto-generated by iOS. A group of researchers have noticed that these auto-generated passwords are too weak, and can be cracked in less than a minute.

Apple uses a combination of standard dictionary words and a sequence of random numbers to generate these passwords, which ensures that all hotspots won’t have the same password:

“This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.”

It took the researchers nearly 50 minutes to try all possible combinations of words and numbers to find the correct password, but with a few more bits of information, they drastically cut down this time to 50 seconds.

What they found was that Apple uses just 1,842 words out of the 52,500 entries, which means that the number of possibilities came down by a huge number, thus reducing the number of tries needed.

hotspot

Now an average person won’t be able to crack your hotspot password within a minute since it requires some high end hardware — a GPU cluster consisting of four AMD Radeon HD 7970s — to iterate over all the possibilities rapidly. However, until Apple amends its password generating algorithms, it’s better if you set a secure password on your own.

Direct link (PDF) to research paper via ZDNet