Anatomy of a cryptoglitch - Apple's iOS hotspot passphrases crackable in 50 seconds

Filed Under: Apple, Cryptography, Data loss, Featured

A posse of computer scientists at the University of Erlangen in Germany has published a well-worth-reading paper about Wi-Fi security on Apple's iOS.

In the hope that you'll end up reading the original paper, in order to give Messrs Metz, Freiling and Kurtz, the authors, the click-respect they deserve, I'll tell you briefly what they found.

The scenario

Apple iDevices with 3G support can be used as Wi-Fi access points.

Many users turn this feature on and off while they're out-and-about, for example to help friends and colleagues jump online at the coffee shop.

For this reason, iOS calls the feature "Personal Hotspot."

Hotspots are meant to be easy to use, so Apple included a feature that lets you automatically generate a WPA passphrase that you can read out to your friends and that they can type in easily.

The passphrase, of course, is also supposed to be reasonably secure, so that the guys sitting at the next table can't crack it and then decrypt all your network traffic, possibly even as you sit there and work.

Apple's iOS passphrase generator therefore creates a pronounceable string of up to six characters, and combines it with a four digit number for the sake of variety.

The assumuptions

If we reasonably but naively assume that 1% of all six-character strings are suitably pronounceable, that gives a choice of 0.01 x 266 x 10,000 passwords, or 30 billion (US billions, i.e. 30 x 109).

And if we reasonably but naively assume that a half-decent laptop can test 3000 WPA keys per second against a sniffed Wi-Fi session, that means about 120 days to complete an exhaustive check of all possible passwords.

→ Note that to recover WPA passwords an attacker needs to be sniffing packets when you first connect, and to capture the so-called authentication handshake at the start of the session. At a coffee shop, you should assume an adversary will acquire your authentication packets.

First looks

Kurtz, Freiling and Metz [KFM] didn't just assume: like good researchers, they set out to investigate.

First, they clicked the iOS option a few times to generate some Personal Hotspot passphrases.

The pronounceable strings looked like words, so they wrote them down and searched on the internet to see whether those words appeared together in a downloadable list.

Bingo! (Or, more accurately, Scrabble!)

They found a word list, extracted from an open source Scrabble game, consisting of 52,000 words that always seemed to include the ones generated by iOS.

That meant just 52,000 words x 10,000 digit combinations, for a grand total of 52 million possible passphrases.

That would take five hours to crack on a laptop CPU at 3000 WPA keys/second, or 50 minutes (six times faster) using a modest graphics card.

→ WPA password cracking requires you to salt and hash each potential passphrase into a 256-bit master key using the PBKDF2 algorithm. This is deliberately designed to be slow, requiring approximately 16,000 iterations of the SHA-1 hash function for each passphrase you try. Nevertheless, SHA-1 calculations can be sped up dramatically using Graphics Processing Units (GPUs).

Under the surface

Guessing that Apple wasn't using the Scrabble game data in its passphrase generator, KFM decided to see if they could narrow down their 52,000-word dictionary.

Disassembling the passphrase generator code in iOS, they found that it worked like this:

  • Feed a pseudorandom non-word into the spelling checker and see what comes back.
  • Append four pseudorandom digits.

The code instructs the spelling checker to restrict its choices to words of four to six letters in length.

Now consider that when you feed a pseudorandom string into a spelling checker, you won't get a pseudorandom result.

There isn't a straightforward and consistent mapping between the set of possible unpronounceable words and all known words, at least in the English language.

So KFM wrote their own implementation of the passphrase generation code and ran it 100 million times with pseudorandom input.

Only 1842 different words came back, with some of them very much more likely than others.

Ouch!

Now, only 18 million possible passphrases remained!

KFM then tried a four-GPU rig of slightly more powerful graphics cards - something many attackers would have access to - and found that they needed just 50 seconds to churn through all possible hotspot passphrases and thus to guarantee a crack.

The problem

If you're like me, you'll prefer to use your own Personal Hotspot even when password-protected free Wi-Fi is available, on the grounds that other people who already know the WPA password can intercept your handshake and then read all your traffic in real time.

That makes the passphrase choice for your Personal Hotspot as important as the passphrase you choose for your fixed-line Wi-Fi router at home.

Unfortunately, while Apple's automatic passphrase generator for iOS may give the impression of "pronounceable randomness," it actually gives a false sense of security because it is far too predictable.

→ Ironically, if iOS generated passcodes of only seven digits (for 10 million possible passcodes), you might consider it safer, if no more secure, since at least there would be no false sense of security. The limitation would be self-documenting.

What to do about it

The lessons we can learn from this are:

  • Algorithms which look cryptographically reasonable from a few sample runs may turn out to be completely flawed.
  • Community cryptographic testing and peer review are vitally important, so avoid proprietary algorithms if you can.
  • Spelling checkers aren't supposed to be pseudrandom generators.
  • Anyone who knows your WPA key and is around when you connect to your network can decrypt your traffic in real time.
  • Anyone who is around when you connect and can sniff your traffic can attempt to crack the password and decrypt your traffic later.
  • Choose your own passphrase, and make it a good one, when using iOS's Personal Hotspot.

Further information

We recently made a short video on the topic of personal Wi-Fi security.

We included a section giving you some practical and visual advice on how to choose and remember decent WPA Wi-Fi passphrases [click the Captions icon during playback for closed captions]:

Enjoy the video, and be careful out there!

, , , , , , , , , ,

You might like

6 Responses to Anatomy of a cryptoglitch - Apple's iOS hotspot passphrases crackable in 50 seconds

  1. iOS rules · 433 days ago

    Wow, I guess next time I setup a personal hotspot to check my email on my iPhone I guess I'd better watch out for someone nearby with a "GPU cluster of four AMD Radeon HD 7970s". Wonder how they run the generators in a coffee shop?

    iOS 6 Users User's can input their own complex passwords so only a fool would be in the position to fall prey to these three clowns, and even with auto generated password it's still better than Windows 8 phone which utilizes default passwords that consist of eight digit numbers. Now that's weak tea!

    where's the credibility? only an uneducated IT guy would believe this tripe.

    • Paul Ducklin · 433 days ago

      You probably should have read to the end of the article, where I explicitly warn that "anyone who is around when you connect and can sniff your traffic can attempt to crack the password *and decrypt your traffic later*."

      So you don't need four GPUs at the coffee shop, just a Bitcoin mining rig at home. (Also, you can just upload the handshake packets to your home server and crack the password elsewhere. Or crack it with one GPU in your laptop in tens of minutes.)

      I also explicitly suggested, "Choose your own passphrase, and make it a good one, when using iOS's Personal Hotspot."

      Lastly, just to be strictly accurate, even the Windows 8 eight-digit passwords are *stronger* tea than Apple's. With eight digits there are 100 million possible passwords, more than five times as many as in Apple's more secure looking generator :-) Anyway, two wrongs don't make a right...

      • Gavin · 431 days ago

        Additionally I just noticed the US-CERT's vulnerability summary for CVE-2013-4622 from Wednesday June 19th. It has the following description:

        "The 3G Mobile Hotspot feature on the HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area."

        So this seems like a problem common to a bunch of different vendors. I wonder why they all took such a lax stance on hotspot password security? Great article as always!

  2. What about Bluetooth · 433 days ago

    I understand that this article was in regards to weaknesses in the Personal Hotspot WiFi access point, but I was wondering: how does the Personal Hotspot's Bluetooth implementation compare with it's WiFi implementation when it comes to security? Are there security concerns related to connecting via Bluetooth?

  3. Jack Wilborn · 430 days ago

    Great article, keep it up...

    Jack

  4. CuteMushroom · 429 days ago

    Nice article. I even made a cartoon out of it!

    Hotspot woes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog