German security experts say that Apple’s much touted mobile security system is rubbish and can be broken in under a minute.
But researchers at Germany’s University of Erlangen say that the way that the keys are generated, which uses a combination of a short English word along with random numbers, is too predictable.
Apparently Apple, in its wisdom, used a word list that contained only 52,500 entries. This meant cracking the hotspot took almost 50 minutes. After finding a wi-fi connection, the researchers used a graphics card to run through word and number combinations using an open-source Scrabble crossword game.
They then used a “cheap and cheerful” AMD Radeon HD 6990 GPU to scan through the lists. To be fair to Apple, the AMD’s dual-GPU Radeon HD 6990 is the world’s fastest single graphics card and has a massive price tag.
The German boffins said that their methods were very precise. And using this unofﬁcial Scrabble word list within ofﬂine dictionary attacks, they had a 100 percent success rate of cracking any arbitrary iOS hotspot default password.
To be fair to Apple it did take some processing power to crack the hotspot that quickly. They used a GPU cluster of four AMD Radeon HD 7970s, and they narrowed their iOS-generated hotspot password cracking time down to just 50 seconds.
In the paper, the team slams Apple’s password generation standards, suggesting that system generated passwords be composed of random letters and numbers.
It is not clear why Apple thought it was important to create easily memorised passwords. After all, once a device has been paired the entered credentials are cached.
The researchers said that it is common sense that system-generated passwords should be reasonably long, and should use a reasonably large character set.
Hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters.
They think that Apple should be a little more like Microsoft and use default passwords that consist of eight digit numbers.
Apple users should choose to use passwords of their own creation, which should contain a sequence of random numbers and letters for enhanced security, the researchers wrote.