iPhone Hotspot Passwords Take Seconds to Crack
CREDIT: Sascha Burkard/Shutterstock.com/Apple, Inc. Image composite by SecurityNewsDaily.
If you use your iPhone as a mobile hotspot, a hacker could probably get into it in less than a minute. By default, iOS 6 generates randomized passwords from a relatively small list of preset words, allowing hackers to use brute-force techniques to gain unauthorized access.
iPhone users who travel frequently or work outdoors are probably familiar with the phone's "mobile hotspot" feature, which essentially turns the device into a router. Users on laptops, tablets or even other phones can connect to the iPhone and access the Internet using the device's 4G mobile connection.
Unfortunately, the process is not as safe as it could be. By default, the mobile hotspot app will generate a random password based on a library of 1,842 words and four numbers. Unfortunately, common words and numbers are highly susceptible to brute-force attacks, wherein hackers run a long list of words and numbers through a system until one matches the password.
Fewer than 2,000 words is not a great base to start from, but matters got worse when researchers from the University of Erlangen-Nuremburg in Germany published a paper revealing that 10 words were used far more regularly than others. These words included "head," "coal" and "suave" — vowel-heavy and short, which is a bad combination for Web security.
Luckily for iPhone users, the fix is quite simple: When activating your device's mobile hotspot, simply program your own password. Strings of letters that don't go together, random number sequences and interspersing capital letters can all help create a password almost immune to brute-force attacks.
While users are still primarily responsible for their own safety, the paper believes that phone manufacturers could do more to ensure consumer safety. Instead of using common words, the paper recommends that mobile hotspot software should instead generate random letter and number strings. [See also: The Top 10 Threats to Your Smartphone]
"There is no need to create easily memorizable passwords," the paper explains. "After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device and are reused within subsequent connections."
The real-life implications of mobile hotspot password cracking are hardly earth-shaking, either. Logging into someone's mobile hotspot is the same as logging into any other Wi-Fi network. A dedicated malicious hacker could view your browser history or learn a location detail or two, but the worst an average leech could do is clog your connection (and cost you money) with large downloads.
Still, there's no need to take unnecessary risks with your mobile device, especially out in the open. Make your own password, or at least try to feign surprise when a stranger hijacks your connection with "coal1234."