While Apple Inc. (NASDAQ:AAPL)’s lock-screen protection remains intact, once users beginning using their phone to tether their connection to another device, they shouldn’t be surprised if they find others using their connection. That’s probably not entirely accurate, chances are that if you are using your phone to use your laptop in a public place, there remains little chance that someone will “hack” your hotspot but in an announcement from security researchers, its certainly within the realm of possibilities.
PSK Authentication Method Used by Apple
“We investigate this trade-off by analyzing the PSK authentication method used by Apple Inc. (NASDAQ:AAPL) iOS to set up a secure WPA2 connection when using an iPhone as a Wi-Fi mobile hotspot. We show that Apple iOS generates weak default passwords which makes the mobile hotspot feature of Apple iOS susceptible to brute force attacks on the WPA2 handshake. More precisely, we observed that the generation of default passwords is based on a word list, of which only 1.842 entries are taken into consideration. In addition, the process of selecting words from that word list is not random at all, resulting in a skewed frequency distribution and the possibility to compromise a hotspot connection in less than 50 seconds.”
In layman’s terms, The iPhone is randomly selecting a word of 4 to 6 letters and then adds a number to the end of it. Something that should be difficult for someone to hack, that is until you come to fact that Apple Inc. (NASDAQ:AAPL) is using a “random” word from a dictionary of less than 2000 words.
The bigger problem, or mild embarrassment for Apple Inc. (NASDAQ:AAPL), is the fact that the researchers identified the dictionary. They also discovered that the word chosen from this list was hardly random at all. The report suggests that because of this a brute force attack is child’s play for someone who knows how to do this and can result in your hotspot password becoming known to an attacker in 24 seconds.
Ultimately, while embarrassing to read, Apple Inc. (NASDAQ:AAPL) will have plenty of time to correct this issue before iOS is released in the fall. In theory, Apple Inc. (NASDAQ:AAPL) need only move to a larger dictionary, though as Tim Worstall points out in a recent Forbes’ piece, a longer letter and number stream would help to close this window. I can’t help but think that users would prefer a longer password to one that is so obviously insecure.