Researchers Crack iOS-Generated Hotspot Passwords in 50 Seconds

by

personalhotspotWhen tethering an iPhone or an iPad, iOS users have the option of using an automatically generated password for their personal hotspots, which Apple implemented to provide all users with a secure password option.

According to researchers at Germany's University of Erlangen (via ZDNeT), the way that the keys are generated – with a combination of a short English word along with random numbers – is predictable to the point where the researchers are able to crack the hotspot password in less than a minute.

In their paper, the three researchers detail the process that they used to figure out the weak spots in the hotspot's protection. Apple's word list uses approximately 52,500 entries, so initially, cracking the hotspot took almost 50 minutes. After finding a WiFi connection, the researchers used an AMD Radeon HD 6990 GPU to run through word and number combinations.

"This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofficial Scrabble word list within offline dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.

The team discovered that only a small set of Apple's larger word list was being used, so with GPU cluster of four AMD Radeon HD 7970s, they narrowed their iOS-generated hotspot password cracking time down to just 50 seconds. In the paper, the team goes on to criticize Apple's password generation standards, suggesting that system generated passwords be composed of random letters and numbers.

"In the context of mobile hotspots, there is no need to create easily memorizable passwords. After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections," the paper states.

"System-generated passwords should be reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters."

As noted by ZDNet though Apple's password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.

To avoid a weak iPhone hotspot password, users can still choose to use passwords of their own creation, which should contain a sequence of random numbers and letters for enhanced security.

Popular Stories

cook trump

Trump Responds to Apple Keeping Diversity Policies

Wednesday February 26, 2025 6:32 am PST by
In an all-caps post on Truth Social today, U.S. President Donald Trump said Apple should fully end its diversity, equity, and inclusion (DEI) policies. Tim Cook meeting with President Trump in 2017 "APPLE SHOULD GET RID OF DEI RULES, NOT JUST MAKE ADJUSTMENTS TO THEM," he wrote. Trump's post comes one day after Apple held its annual shareholders meeting, during which a majority of...
Read Full Article440 comments
iOS 18

Apple Says iOS 18.4 Will Be Released in April With These New Features

Wednesday February 26, 2025 7:15 am PST by
In a recent press release, Apple confirmed that iOS 18.4 will be released in April. From the Apple News+ Food announcement:Coming with iOS 18.4 and iPadOS 18.4 in April, Apple News+ subscribers will have access to Apple News+ Food, a new section that will feature tens of thousands of recipes — as well as stories about restaurants, healthy eating, kitchen essentials, and more — from the...
Read Full Article43 comments
apple watch ultra snow

6 Features Coming to the Apple Watch Ultra 3

Tuesday February 25, 2025 9:00 am PST by
The Apple Watch Ultra 3 is expected to launch later this year, arriving two years after the previous model with a series of improvements. While no noticeable design changes are expected for the third generation since the company tends to stick with the same Apple Watch design through three generations before changing it, there are a series of internal upgrades on the way. By the time the ...
Read Full Article192 comments
iPhone Fold Vertical Feature

Apple's 2026 Foldable iPhone Has No Visible Display Crease – Report

Tuesday February 25, 2025 2:58 am PST by
Apple is making significant headway on its long-rumored foldable iPhone, with a new report suggesting the company has achieved a major breakthrough by effectively eliminating the screen crease that plagues current foldable devices. According to Korean publication ETNews, Apple is finalizing its component suppliers for the foldable iPhone, with the selection process expected to be completed...
Read Full Article226 comments
trump iphone dictation issue

Apple Fixing 'Trump' Dictation Processing Bug

Tuesday February 25, 2025 1:18 pm PST by
Multiple iPhone owners today noticed a pronunciation processing issue that causes the word "Trump" to momentarily show up when using dictation to send a message with the word "racist." In some cases, when speaking the word racist through the iPhone's built-in dictation feature, the iPhone briefly interprets the spoken word as "Trump" and "Trump" text shows up in the Messages app before being ...
Read Full Article368 comments
airpods pro purple

Here's When AirPods Pro 3 Are Rumored to Launch

Monday February 24, 2025 9:14 am PST by
According to a post on X today from a leaker known as Kosutami, Apple plans to launch AirPods Pro 3 in May or June this year. The leaker also claimed that an AirTag 2 will launch around the same time. Kosutami is best known as a collector of prototype Apple hardware, but they have occasionally shared accurate information about Apple's future product plans. For example, they accurately...
Read Full Article
airtag orange

AirTag 2 Rumored to Launch in May or June With These New Features

Monday February 24, 2025 6:11 am PST by
Apple plans to launch a second-generation AirTag in May or June this year, according to a post today from a leaker known as Kosutami. Bloomberg's Mark Gurman previously reported that a new AirTag would be released in mid-2025. May or June would align with that timeframe. Below, we recap three new features rumored for the AirTag 2: With a second-generation Ultra Wideband chip, the...
Read Full Article58 comments
ios 18 4 carplay

iOS 18.4 Includes a Small But Useful Change for CarPlay

Sunday February 23, 2025 2:23 pm PST by
The first beta of iOS 18.4 is now available, and it includes a small but useful change for CarPlay. As we noted in our list of iOS 18.4 features, CarPlay now shows a third row of icons, up from two rows previously. However, this change is only visible in vehicles with a larger center display. For example, a MacRumors Forums member noticed the change in a Toyota Tundra, which can be equipped...
Read Full Article107 comments

Top Rated Comments

cutmoney Avatar
cutmoney
153 months ago
Wow, I guess next time I setup a personal hotspot to check my email on my laptop, I'd better watch out for someone nearby with a "GPU cluster of four AMD Radeon HD 7970s". I mean seriously, who sets up a wireless hotspot on their iPhone using the password generator and then transmits some sensitive data which is at risk of (and in range of) some hacker that would have the ability (or desire) to crack their wireless hotspot security? It's hard enough to even get people to turn on any security much less worry about whether it could potentially be hacked. These "researchers" need to spend their time on something more useful.
Score: 13 Votes (Like | Disagree)
Walter White Avatar
Walter White
153 months ago
I always use my birthdate as password.
Score: 12 Votes (Like | Disagree)
kkat69 Avatar
kkat69
153 months ago
Mines easy, no need for massive data crunching... 1-2-3-4-5. I use the same on my luggage.
Score: 10 Votes (Like | Disagree)
MaxxTraxx Avatar
MaxxTraxx
153 months ago
I can imagine folks just roaming airports with these AMD systems looking for iPhone passwords.
Score: 10 Votes (Like | Disagree)
ziggyonice Avatar
ziggyonice
153 months ago
This does not appear to be an issue in iOS 7.

The passwords generated in the beta are not based on dictionary words and are considerably more randomized.
Score: 9 Votes (Like | Disagree)
Menel Avatar
Menel
153 months ago
" so with GPU cluster of four AMD Radeon HD 7970s"

Using my iPad out in a park away from building WIFI. I think that, with a gas generator out in a park might be obvious and suspicious...

Also, use Bluetooth. The connection is persistent. iPad reconnects without fiddling with Phone because the phone doesn't idle it's bluetooth like it does WIFI. Also more secure as you will have to manually approve the connection. Problem solved, and everything fixed.
Score: 9 Votes (Like | Disagree)
Read All Comments