Tethered and vulnerable: Hotspot password FAIL not just in iPhones The recent discovery that Apple's iOS hotspot passwords are readily crackable in under 50 seconds is part of a wider problem involving other smartphone platforms, claim researchers. As recently reported by El Reg and others, a team of security researchers discovered from the University of Erlangen, Germany discovered that …
Punching someone in the face only takes a second. When you're using a ring of GPUs to do your cracking, that's brute force.
The question is, how useful is it? Are smartphone hotspots usually used as temporary access points, as they were designed to be, or is there a lot of de facto infrastructure being built with them?
If I'm creating a hotspot to use for a few hours, and the next time I do it will be at a different time in a different place with a new password, there's not much opportunity here -- unless you want to lug a powerful workstation around, following smartphone owners around in the hopes that they'll decide to do some tethering.
But if users are creating these hotspots and keeping them open for days or more without changing the password, then there's some risk -- about the same risk as that posed by all the public wifi networks out there.
It's only for a few hours so you don't think there's a risk? Who is going to follow smartphone owners around with a powerful workstation?
You can get laptops with quite powerful GPUs on board and I'm sure it would be possible to pass some of the processing off to AWS or Azure negating the need for any local GPU resources. I'm betting a lot of the time people use personal hotspots is in airports and train stations. Sitting there using a laptop for hours is not going to arouse suspicion and would enable the hacker to connect to a lot of hotspots.
It takes less than a minute to crack the password. Then all it takes is for you to check your email and they can get that password or steal a session cookie. From there it's all over. While you are on your flight or train they can be resetting your online banking password, opening credit cards in your name and whatever else they want to do.
"Using a default password".
You're an idiot. Don't. Set one yourself, don't rely on things to do it for you (and turn off all that WPS junk that does the same because it has the same kind of weaknesses).
Additionally, if someone really wants to spend 100 days brute-forcing your key, or use dozens of GPU's to do so, then you do need to think a little more carefully about what you're setting up in the first place. I.e. don't trust the wireless network at all and use a proper VPN setup - something which is stupidly cheap nowadays and is pretty much unbreakable. (Hint: VPS with OpenVPN for those with a brain, hosted OpenVPN service for those without).
"Anyone who knows your WPA key"
Game over. Before you start. Of course they can decrypt your communications, or just pretend to be the AP you're looking for.
DON'T TRUST WIFI NETWORKS. Trust your encrypted, authenticated, verifiably-unbreakable layer that lays over the top of whatever communications medium you have for virtually ZERO overhead on a modern machine.
You are correct but you are preaching to the choir. The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device. It is not an issue of hardware choice or fandom, it is the age old 'the user is the problem' problem.
"The issue is the tens or hundreds of millions of people who don't know and are never going to learn or implement security beyond the default settings in their device."
And what is the likelihood of somebody nearby deciding to perform a brute force attack on ones WiFi tethering password? It will happen, of course, but is this something the average person must be concerned about as a practical threat?
"If Apple was using words from this list in combination with a four digit number (which multiples the range of possible combinations by 10,000) then they were using a range of just 52 million possible passphrases."
I have a problem here. For me, 52,000 x 10,000 = 520,000,000, not 52,000,000
Anyone care to double-check ?
this is, readers of this website are more than likely to be fully aware of the importance of setting your own, strong password.
so why are we reading this story?
the types of people who need to hear this are the non-techie types. i'm not really sure they're likely to ever need to set up a personal hotspot. they'll just wait until they get home.
Who would leave their hotspot running on their phone for long enough for it to be targeted anyway?
Seriously, it drains battery fast, always shows up in the notification area so you can't forget...
Just use a non-default password and only turn it on when you need it..
It's not like this is a story about passwords on routers being predictable (although that has happened too!).
Convenience. You're talking about a consumer market that wants it now they don't want to fiddle with settings everytime. It is answering those calls to convenience that make a product a best seller, it is also what causes security holes like this.
Customer demands are often insane and nearly impossible to implement at a given price point. There's an old saying 'business is great, except for the damn customers', it applies here.
Both my Xperias (Mini Pro (not X10) and U) offer hotspot functions. Dead easy to use. The problem is when you connect a WWindows machine to the internet - a lot of things think it is a free-for-all when it comes to data. Are there updates? Should something be downloaded? Windows itself and the antivirus are the worst offenders, but every so often Firefox tells me if stuff has been updated, blah blah.
On WiFi, it's no big deal. On mobile comms, it is unncessary deductions from the monthly allocation. I played with the hotspot function once, but really, there's practially nothing I can't do on my phone and should something not be possible on the phone, I can wait until I'm back on WiFi...
That said, it seems as if the basic advice is "use a good password" and not the defaults. Duh.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
