iPhone and iPad users making use of Apple's personal hotspot feature beware. Researchers at the University of Erlangen (FAU), in Germany, have uncovered a major flaw in the way iOS generates default passwords, leaving a user's device vulnerable to attacks.
When using a personal hotspot, iOS assigns a password that utilises a mixture of a short English-language word and a series of random numbers. According to the FAU's paper, entitled: Usability vs Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots, this is woefully inadequate.
A user's personal hotspot password can be cracked in under one minute, reported appadvice.com. The publication said FAU researchers used an AMD Radeon HD 6990 to determine that Apple pulls from a list of a mere 1 842 words to generate these passwords. The time dropped to 50 seconds when researchers used a faster CPU.
According to Threatpost, mobile devices have a significant attack surface already, and this is further compounded by the myriad ways they are enabled to connect to the Internet - WiFi, Bluetooth, NFC, LTE, RFID, and standards such as GSM and CDMA. "Once the hotspot feature is enabled, a software-based access point churns up allowing other wireless devices to connect using PSK. This can lead to a number of additional risks, elevated by the weak passwords."
For cyber criminals to execute such an attack, they would need to monitor WiFi traffic and wait for an existing wireless client. Once connected, the client would have to re-authenticate, forcing the user to reconnect, thereby increasing the possibility of capturing the four-way handshake necessary to capture the pre-shared key or PSK.
The FAU added there are freely available tools for the attackers to carry out each step of the attack.
Public nightmare
The use of mobile hotspots in public places that can be accessed by any nearby devices, has given rise to some new hotspot-specific threats. The FAU says if a mobile hotspot is compromised, attackers will immediately gain access to the existing Internet connection. "This poses a special risk, as the registered smartphone holder is responsible for the exchanged data."
Also, if a mobile hotspot is used to conduct any illegal activities by a malicious party, it is difficult to prove a compromise has occurred, as no relevant log files are recorded.
It adds that as most data plans are subjected to limitations, if a certain data volume is exceeded, the bandwidth could be reduced until the end of the month, or the user could be slapped with additional fees.
Also concerning, should cyber criminals gain access to a mobile hotspot, they would have access to services running on the device. As many users transfer files from their PC to their phones for easy access while travelling, the device is used as a mobile flash drive. "These apps usually provide services to exchange files over the air using a Web browser, without requiring any cable-based synchronisation."
This results in file transfer apps becoming an HTTP service that provides a Web-based interface to upload and manage personal data files. Because these file-sharing services are bound to the wireless interface, they can be accessed via the mobile hotspot connection. In this way, any attacker breaching a mobile hotspot could have access to a user's personal files.
Password selection
To lessen the risk of such attacks, the FAU says system-generated passwords should be "reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters."
Because iOS doesn't provide this type of security, FAU advises that users should create their own password.
The FAU also advises replacing initial default passwords with user-defined strong and secure passwords, and says this is particularly relevant for mobile hotspots passwords. It added that because some mobile platforms display the number of connected clients on the lock screen, it is a good idea to check that screen for any anomalous activity from time to time.
Lastly, the paper advised that "hotspot capabilities of smart devices should be switched off every time when they are no longer needed, to keep the overall attack surface as minimal as possible".
"The process of selecting words from that word list is not random at all, resulting in a skewed frequency distribution and the possibility to compromise a hotspot connection in less than 50 seconds," the paper said. "Spot tests show that other mobile platforms are also affected by similar problems. We conclude that more care should be taken to create secure passwords even in PSK scenarios."
Share