[Owasp-mobile-security-project] Cracking iOS personal hotspots using a Scrabble crossword game word list
Andreas Kurtz
mail at andreas-kurtz.de
Mon Jun 17 13:19:23 UTC 2013
Within a recent study, we investigated the method used by Apple iOS to
set up a secure WPA2 connection when using an iPhone as a Wi-Fi mobile
hotspot. We found out that Apple iOS generates weak default passwords
which makes the mobile hotspot feature of Apple iOS susceptible to brute
force attacks on the WPA2 handshake. More precisely, we observed that
the generation of default passwords is based on a word list, of which
only 1.842 entries are taken into consideration. In addition, the
process of selecting words from that word list is not random at all,
resulting in a skewed frequency distribution and the possibility to
compromise a hotspot connection in less than 50 seconds. Spot tests have
shown that other mobile platforms are also affected by similar problems.
Users of mobile hotspots, especially of iOS-based mobile hotspots, are
advised to change their initial passwords.
For further information please refer to our technical report "Usability
vs. Security: The Everlasting Trade-Off in the Context of Apple iOS
Mobile Hotspots" [1] on our website https://www1.cs.fau.de/hotspot
More information about the Owasp-mobile-security-project
mailing list