AAPL Stock: 128.46 ( -1.96 )

Printed from

Researchers crack auto-generated iOS hotspot passwords in 60 seconds

updated 03:50 pm EDT, Wed June 19, 2013

Default passwords described as too weak

The auto-generated passwords for iOS Personal Hotspots can be cracked in under a minute, a group of German researchers claim. In a paper (PDF) out of the University of Erlangen, the people explain that iOS generates passwords based on word list of about 52,500 entries, but only relies on 1,842. The word selection process is moreover said to be insufficiently random, making it easy to brute-force an attack.

The Erlangen researchers tested their hypothesis using a cluster of four AMD Radeon HD 7970s. While the process initially took over a minute, eventually it was whittled down to approximately 50 seconds. Once access to a hotspot was made available, the researchers were also able to gain access to services running on an iOS device, including wireless sharing apps like AirDrive HD.

The researchers comment that the hack could also affect devices connected to a hotspot, or allow people to intercept messages. As proof of the simplicity of the technique, a custom app dubbed Hotspot Cracker was developed to automate it.

"In the context of mobile hotspots," the paper deduces, "there is no need to create easily memorizable passwords. After a device has been paired with one by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections."

Android is said to generate tougher passwords by default, but often have this strategy undermined by individual device makers. Windows Phone 8 uses eight-digit codes, which forces hackers to sort through 10^8 candidates.

by MacNN Staff



  1. djbeta

    Junior Member

    Joined: 01-11-04

    wow, now that sounds just plain lazy..

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    This is ridiculous.

    The point of personal hotspot is to quickly have a casually secured Internet connection.
    Once it hasn't been accessed for ten minutes, it is switched off automatically, and the password is completely irrelevant.

    Generating complex random passwords is the OPPOSITE of what you want - the whole idea is to have something that can be quickly supplied to the colleague or co-worker, or your other device, that needs to go online in a pinch.

  1. Charles Martin

    MacNN Editor

    Joined: 08-04-01

    What SH said. And if anyone IS concerned still, just set your own password for the hotspot rather than rely on the auto-generated one. This is, I would think, Not A Big Deal unless you routinely do financial or very sensitive stuff on your personal hotspot.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Moshi iVisor AG and XT for iPad Air 2

Have you ever tried to put in a screen protector that relies on static to cling to the screen? How many bubbles and wrinkles does it h ...

OmniPlan (OS X, iOS)

We reviewed the Omni Group's most famous Mac software, a To Do app called OmniFocus, back in June 2014, and we were impressed. Some o ...

Epson PowerLite Home Cinema 3500 projector

Trying to find the perfect projector for a home theater can be tricky, as there are bountiful options on the market from a large numbe ...


Most Commented