

Usability vs. Security in the Context of Apple iOS Mobile Hotspots - FredericJ
https://www1.cs.fau.de/hotspot

======
akent
The real weakness is because iOS default / suggested passphrases aren't very
secure: "As the hotspot wordlist consists of only 1842 entries followed by a
four-digit number, there are only around 18.5 million possible combinations."

------
taylorfausak
At first, I figured this could be used as a case against Randall Munroe's
password generation algorithm [1]. But it looks like the problem is with
Apple's implementation, not with the method. The abstract claims that "the
process of selecting words from that word list is not random at all". I
wondered how not-random the selection was. The paper says: "words from this
Top 10 list are ten times more likely to be selected as a default password".
The word frequency distribution graph [2] is pretty damning.

[1]: [http://xkcd.com/936/](http://xkcd.com/936/) [2]:
[http://imgur.com/nAKkPe3](http://imgur.com/nAKkPe3)

------
foxhop
Nothing in the article talks specifically about the word list coming from
either scrabble or crossword.

I wrote a scrabble / boggle solver web app and used the built-in dictionary
provided with my Linux distribution.

Check it out at [http://words.gumyum.com](http://words.gumyum.com) [source-
code]

The hotspot cracker appears to use a similar algorithm.

~~~
teraflop
Yes it does: "After retrieving several hotspot passwords by manually resetting
the hotspot settings, we revealed a word list on the Internet, which contained
all our collected samples. This list consists of around 52,500 entries and was
originated from an open-source Scrabble crossword game[20]."

------
RLN
Interesting but the danger appears to be slightly overblown:

>A GPU cluster composed of four AMD Radeon™ HD 7970 can cycle through around
390.000 guesses per second. As the hotspot wordlist consists of only 1.842
entries followed by a four-digit number, there are only around 18.5 million
possible combinations. This means, that a GPU cluster will crack an arbitrary
password in less than 50 seconds.

Being in range of a hotspot in with that kind of hardware reliably and for any
length of time is going to be difficult. Yes it's insecure but not to someone
on the street attacking it with just their phone.

~~~
d0ne
No need for the GPU cluster to be in range. A mobile device with 4G can
communicate with a networked GPU cluster at speeds fast enough to pipe the
data needed.

------
orofino
I've since changed the password, but I believe this may be fixed in iOS 7. I
seem to recall some thoroughly random password after install.

~~~
silencio
My default hotspot password in iOS 7 right now is "min1bt3456mi" which is
improved over what I recall was the default (along the lines of "foobar1234").
Hopefully the actual password generation is improved too.

------
nrj
It seems to be using a private API method of UITextChecker. [checker
suggestWordInLanguage:@"en_US"]; to generate each word in the list. Can anyone
explain what this method is actually doing? It doesn't take any sort of
argument (other than language), does it literally just give you a random
english word?

~~~
drewcrawford
Per [1], it seems that the method in question is some sort of Markov generator
that Apple uses to generate the passwords in the first place.

[1]
[https://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf](https://www1.cs.fau.de/filepool/projects/hotspot/hotspot.pdf)

------
chris_wot
I've always considered personal hotspot default passwords to be insecure.
Ironically, I've never changed my iPhones default password. Thank goodness for
poor coverage on Australia's CityRail network, I suppose...

