If you're an iPhone or iPad owner who uses hotspot mode but never bothered to change the seemingly-random password suggested by iOS, now is definitely a good time. German researchers have discovered (pdf) the passwords iOS issues can be easily predicted, allowing them to be cracked in as little as one minute using consumer hardware.
The algorithm iOS uses to generate hotspot keys takes a dictionary word, adds a couple of numbers and voila -- an easily memorable password is born. The problem though, is despite the endless variety of words available in the English language, iOS draws its password inspiration from a narrow selection of just 1,842 words.
The second issue is certain words appear several times more frequently than other words. For example, out of nearly 2,000 words, "suave" had a 1-in-125 chance of being used. Meanwhile, "macaws" -- the tenth most-likely word to be used -- appeared 1-in-345 times. Knowing iOS' preferred word selection allows brute force crackers to start with the most common ones first, further reducing the time needed.
A PC armed with a Radeon HD 6990 GPU was able to crack the average iPhone hotspot in 52 seconds while four Radeon HD 7970s yielded an average of just 24 seconds. GPUs are favored amongst crackers for their ability to perform massively parallell computations.
Although researchers revealed how easily an iOS-generated hotspot password can be brute forced, other exploits like attacking iOS' PSK authentication method help to facilitate the process. Because handheld devices aren't equipped with high-end GPUs, researchers even discussed offloading the computational work to a cloud-based service like CloudCracker for cracking hotspots on-the-go.
Of course, Apple doesn't have a monopoly on devices with easily cracked hotspot passwords. Windows Phone and some Android handsets don't fare much better.
Windows Phone, for example, auto-generates hotspot passwords consisting of eight numbers. This means you already know what the password could be, making Windows Phone susceptible to brute force attacks. More research may reveal an additional weakness though, which could narrow that selection of 10^8 possibilities down to something even more tractable.
Meanwhile, Android's default password generator conjures sufficiently strong passwords, but some vendors have taken the liberty of greatly reducing its effectiveness. "Android-based models of the smartphone and tablet manufacturer HTC are even shipped with constant default passwords consisting of a static string (1234567890)" researchers noted.
When boiled down to its nuts and bolts though, the moral of this story is probably this: always create your own passwords, provided you follow some of the basic principles for creating strong ones.
