Feeds

back to article Tethered and vulnerable: Hotspot password FAIL not just in iPhones

The recent discovery that Apple's iOS hotspot passwords are readily crackable in under 50 seconds is part of a wider problem involving other smartphone platforms, claim researchers. As recently reported by El Reg and others, a team of security researchers discovered from the University of Erlangen, Germany discovered that …

COMMENTS

This topic is closed for new posts.
Facepalm

one of the problems of selling to a non tech end user

Is that you need to keep stuff really simple.

And this is the end result.

2
2
Paris Hilton

Re: one of the problems of selling to a non tech end user

You say Android has weak hotspot password generator? Oh no, I've not got one of those, I've got a Samsung Galaxy.

What's a hotspot?

2
0
Bronze badge
Thumb Down

Re: one of the problems of selling to a non tech end user

What's a hotspot not?

Not a good spot.

4
0
Anonymous Coward

Re: one of the problems of selling to a non tech end user

Actually, I have an old Sony Xperia X10 mini pro, and that's even safer on account of not having a personal hotspot facility at all. As it mainly lives in a box as a backup phone I've never bothered to find one either..

0
0

I'm not sure it counts as brute force

When it takes less than a minute. Maybe it could be described as "delicate force"

1
0
Silver badge
Meh

Re: I'm not sure it counts as brute force

Punching someone in the face only takes a second. When you're using a ring of GPUs to do your cracking, that's brute force.

The question is, how useful is it? Are smartphone hotspots usually used as temporary access points, as they were designed to be, or is there a lot of de facto infrastructure being built with them?

If I'm creating a hotspot to use for a few hours, and the next time I do it will be at a different time in a different place with a new password, there's not much opportunity here -- unless you want to lug a powerful workstation around, following smartphone owners around in the hopes that they'll decide to do some tethering.

But if users are creating these hotspots and keeping them open for days or more without changing the password, then there's some risk -- about the same risk as that posed by all the public wifi networks out there.

2
0
Silver badge

Re: I'm not sure it counts as brute force

It's only for a few hours so you don't think there's a risk? Who is going to follow smartphone owners around with a powerful workstation?

You can get laptops with quite powerful GPUs on board and I'm sure it would be possible to pass some of the processing off to AWS or Azure negating the need for any local GPU resources. I'm betting a lot of the time people use personal hotspots is in airports and train stations. Sitting there using a laptop for hours is not going to arouse suspicion and would enable the hacker to connect to a lot of hotspots.

It takes less than a minute to crack the password. Then all it takes is for you to check your email and they can get that password or steal a session cookie. From there it's all over. While you are on your flight or train they can be resetting your online banking password, opening credit cards in your name and whatever else they want to do.

1
0
Wam

Reasonable Default (if I keep it)

I have been offered 12 random hex digits by my Galaxy S3 as a default hotspot key - but I can change it to Pa55w0rd if I so choose ....

0
1
Bronze badge

Re: Reasonable Default (if I keep it)

It's a well known fact that if you want to be able to remember your password you should always use "********".

2
0
Silver badge
Joke

default passwords consisting of ... 1234567890

Damn - I was going to use that password!

0
0
Anonymous Coward

Re: default passwords consisting of ... 1234567890

Now I need to change the combination on my air-shield. Damn you President Scroob!

<- Anon to prevent the Spaceballs from attacking my planet.

0
0
Bronze badge

"Using a default password".

You're an idiot. Don't. Set one yourself, don't rely on things to do it for you (and turn off all that WPS junk that does the same because it has the same kind of weaknesses).

Additionally, if someone really wants to spend 100 days brute-forcing your key, or use dozens of GPU's to do so, then you do need to think a little more carefully about what you're setting up in the first place. I.e. don't trust the wireless network at all and use a proper VPN setup - something which is stupidly cheap nowadays and is pretty much unbreakable. (Hint: VPS with OpenVPN for those with a brain, hosted OpenVPN service for those without).

"Anyone who knows your WPA key"

Game over. Before you start. Of course they can decrypt your communications, or just pretend to be the AP you're looking for.

DON'T TRUST WIFI NETWORKS. Trust your encrypted, authenticated, verifiably-unbreakable layer that lays over the top of whatever communications medium you have for virtually ZERO overhead on a modern machine.

2
2
Silver badge
Happy

You are correct but you are preaching to the choir. The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device. It is not an issue of hardware choice or fandom, it is the age old 'the user is the problem' problem.

1
1
Silver badge

"The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device."

And what is the likelihood of somebody nearby deciding to perform a brute force attack on ones WiFi tethering password? It will happen, of course, but is this something the average person must be concerned about as a practical threat?

0
0
Silver badge

"If Apple was using words from this list in combination with a four digit number (which multiples the range of possible combinations by 10,000) then they were using a range of just 52 million possible passphrases."

I have a problem here. For me, 52,000 x 10,000 = 520,000,000, not 52,000,000

Anyone care to double-check ?

2
0
jai
Silver badge

wrong target audience?

this is, readers of this website are more than likely to be fully aware of the importance of setting your own, strong password.

so why are we reading this story?

the types of people who need to hear this are the non-techie types. i'm not really sure they're likely to ever need to set up a personal hotspot. they'll just wait until they get home.

0
0
Silver badge

Non-story

Who would leave their hotspot running on their phone for long enough for it to be targeted anyway?

Seriously, it drains battery fast, always shows up in the notification area so you can't forget...

Just use a non-default password and only turn it on when you need it..

It's not like this is a story about passwords on routers being predictable (although that has happened too!).

1
1
Silver badge
Happy

Re: Non-story

Convenience. You're talking about a consumer market that wants it now they don't want to fiddle with settings everytime. It is answering those calls to convenience that make a product a best seller, it is also what causes security holes like this.

Customer demands are often insane and nearly impossible to implement at a given price point. There's an old saying 'business is great, except for the damn customers', it applies here.

0
0
Silver badge

Huh, I thought WPA2 fixed the little "sniff one packet and spend a week busting the key at lightning speed" bug that was in WPA?

Of course I could be wrong. Of course, some people still set their access points up as WEP, which really is game over before you even start.

0
0
Silver badge

Nothing wrong with the WiFi security it's the stupid, predictable default passwords that are the issue.

You can have the best security in the world but, as the NSA can attest, if the password is 1234 then someone is going to walk with all your secrets!

0
0
Bronze badge
Mushroom

Isn't about time the death penalty was introduced for writing this sort of code?

The password generation bits, not the cracking ones.

0
0
h3
Bronze badge

Does Eadon work for the register now then ? (Title looks exactly like one he might have used). Perhaps Eadon was the alter ego of the article submitter.

0
0
Anonymous Coward

They DID hire him!

Eadon is now Chief Windows Trollmaster as they needed someone to help increase traffic on the comments pages

0
0
Silver badge

Hotspot on my phone? No thanks!

Both my Xperias (Mini Pro (not X10) and U) offer hotspot functions. Dead easy to use. The problem is when you connect a WWindows machine to the internet - a lot of things think it is a free-for-all when it comes to data. Are there updates? Should something be downloaded? Windows itself and the antivirus are the worst offenders, but every so often Firefox tells me if stuff has been updated, blah blah.

On WiFi, it's no big deal. On mobile comms, it is unncessary deductions from the monthly allocation. I played with the hotspot function once, but really, there's practially nothing I can't do on my phone and should something not be possible on the phone, I can wait until I'm back on WiFi...

That said, it seems as if the basic advice is "use a good password" and not the defaults. Duh.

0
0
Silver badge

Re: Hotspot on my phone? No thanks!

Well, right now and for whatever reasons, my phone company is my ISP. The hotspot feature is not only useful, but essential.

As is an unlimited traffic allowance that actually means unlimited.

0
0
This topic is closed for new posts.