Weaknesses in the system used to generate default passwords for the iPhone’s personal hotspot function – allowing a wifi-enabled device like a MacBook to share the phone’s mobile data connection – mean that they can be cracked in just 50 seconds with the right hardware, according to researchers at a German university (via ZDNet).
Any default password used within an arbitrary iOS mobile hotspot is based on one of 1,842 different words.
This, combined with an increase in cracking hardware — a GPU cluster consisting of four AMD Radeon HD 7970s — allowed the researchers to crack any iOS hotspot with an OS-generated password within 50 seconds. Although such hardware is physically out of the reach of most users, the researchers said that similar resources are easily available through today’s cloud computing technologies …
Researchers at the University of Erlangen in Germany found that Apple uses a dictionary of 52,500 words from an open-source Scrabble game to generate the passwords, with random numbers appended to them, but appears to be using only 1,842 words at present. Although that allows for a unique password for each iOS device, password strength is low.
Using a single computer, it took a maximum of 49 minutes to crack a password, but using an array of just four powerful processors would enable 100% success in just 50 seconds. They called on Apple to switch to true randomly-generated passwords to boost security.
As always, it’s strongly recommended to create your own, truly random password – either making something up or using a password-generator app. To do this, go to Settings > Personal Hotspot then just tap the right-arrow next to the password to replace the default password with your own.