Apple iOS has a serious password problem.
Researchers have found a vulnerability in the automatically generated pre-shared keys that are used in Apple hotspots. This flaw could result in an easy hack that could take seconds.
Under iOS, users have the option to specify their own passwords to secure their device when it is used as a personal hotspot. However, for convenience and security, Apple initially populates the password field with an automatically generated password. However, according to three researchers from the German university, the method in which these passwords are generated leaves them vulnerable to attack.
In other words, a system that was supposed to protect even the least security-aware among iOS users is actually putting them more at risk.
One of the ways this system makes it easy for hackers is because there are a limited number of passwords that can be generated – just 52,500 words. For a hacker who is using a computer program to generate potential passwords, the chances of him hitting the right password are 100 percent. Making it even easier for the hackers is that the system doesn’t appear to be utilizing all of the password options. Rather, it randomly is choosing among fewer than 2,000 passwords (kind of like the random music select on your mp3 player – you keep getting the same six songs on your playlist of thousands).
The real problem here, Forbes pointed out, isn’t so much the limited password choice, but that they are real dictionary words (or, more directly, words from an open-source Scrabble game). By simply changing a few words into nonsense words, the hacking ability landscape totally changes. Expanding the number of words used for potential passwords and making sure that random really means random among all of the words will also make it more difficult for hackers. The question is whether Apple will follow through on the fix in the iOS 7 version or sooner.
Now, it is important to remember that this doesn’t involve the general user-generated passwords on the devices. This is only if the device is being used as a tether for a Wi-Fi hotspot. But if your employees are linking their Wi-Fi-only devices to their iPhones in order to log into the corporate network, you may have a problem on your hands.