Researchers Crack iOS Mobile Hotspot Passwords In Less Than a Minute

msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."

Argh!

[girlintraining]

the operating system proposes four-to-six-character passwords generated from a default list of 1,842 words and then tags on a random four-digit number.

*facepalm* Dinopass does a better job of picking good passwords than Apple, and it's designed for children. For the largest company on the planet, this is really, painfully, sad. In other news, this isn't a weakness in the crypto per-se -- it's making a suggestion. The user still has the option of picking something more secure.. so it's not entirely Apple's fault if your hotspot gets p0wned.