Anatomy of a cryptoglitch – Apple’s iOS hotspot passphrases crackable in 50 seconds


A posse of computer scientists at the University of Erlangen in Germany has published a well-worth-reading paper about Wi-Fi security on Apple’s iOS.

In the hope that you’ll end up reading the original paper, in order to give Messrs Metz, Freiling and Kurtz, the authors, the click-respect they deserve, I’ll tell you briefly what they found.

The scenario

Apple iDevices with 3G support can be used as Wi-Fi access points.

Many users turn this feature on and off while they’re out-and-about, for example to help friends and colleagues jump online at the coffee shop.

For this reason, iOS calls the feature “Personal Hotspot.”

Hotspots are meant to be easy to use, so Apple included a feature that lets you automatically generate a WPA passphrase that you can read out to your friends and that they can type in easily.

The passphrase, of course, is also supposed to be reasonably secure, so that the guys sitting at the next table can’t crack it and then decrypt all your network traffic, possibly even as you sit there and work.

Apple’s iOS passphrase generator therefore creates a pronounceable string of up to six characters, and combines it with a four digit number for the sake of variety.

The assumuptions

If we reasonably but naively assume that 1% of all six-character strings are suitably pronounceable, that gives a choice of 0.01 x 266 x 10,000 passwords, or 30 billion (US billions, i.e. 30 x 109).

And if we reasonably but naively assume that a half-decent laptop can test 3000 WPA keys per second against a sniffed Wi-Fi session, that means about 120 days to complete an exhaustive check of all possible passwords.

→ Note that to recover WPA passwords an attacker needs to be sniffing packets when you first connect, and to capture the so-called authentication handshake at the start of the session. At a coffee shop, you should assume an adversary will acquire your authentication packets.

First looks

Kurtz, Freiling and Metz [KFM] didn’t just assume: like good researchers, they set out to investigate.

First, they clicked the iOS option a few times to generate some Personal Hotspot passphrases.

The pronounceable strings looked like words, so they wrote them down and searched on the internet to see whether those words appeared together in a downloadable list.

Bingo! (Or, more accurately, Scrabble!)

They found a word list, extracted from an open source Scrabble game, consisting of 52,000 words that always seemed to include the ones generated by iOS.

That meant just 52,000 words x 10,000 digit combinations, for a grand total of 52 million possible passphrases.

That would take five hours to crack on a laptop CPU at 3000 WPA keys/second, or 50 minutes (six times faster) using a modest graphics card.

→ WPA password cracking requires you to salt and hash each potential passphrase into a 256-bit master key using the PBKDF2 algorithm. This is deliberately designed to be slow, requiring approximately 16,000 iterations of the SHA-1 hash function for each passphrase you try. Nevertheless, SHA-1 calculations can be sped up dramatically using Graphics Processing Units (GPUs).

Under the surface

Guessing that Apple wasn’t using the Scrabble game data in its passphrase generator, KFM decided to see if they could narrow down their 52,000-word dictionary.

Disassembling the passphrase generator code in iOS, they found that it worked like this:

  • Feed a pseudorandom non-word into the spelling checker and see what comes back.
  • Append four pseudorandom digits.

The code instructs the spelling checker to restrict its choices to words of four to six letters in length.

Now consider that when you feed a pseudorandom string into a spelling checker, you won’t get a pseudorandom result.

There isn’t a straightforward and consistent mapping between the set of possible unpronounceable words and all known words, at least in the English language.

So KFM wrote their own implementation of the passphrase generation code and ran it 100 million times with pseudorandom input.

Only 1842 different words came back, with some of them very much more likely than others.


Now, only 18 million possible passphrases remained!

KFM then tried a four-GPU rig of slightly more powerful graphics cards – something many attackers would have access to – and found that they needed just 50 seconds to churn through all possible hotspot passphrases and thus to guarantee a crack.

The problem

If you’re like me, you’ll prefer to use your own Personal Hotspot even when password-protected free Wi-Fi is available, on the grounds that other people who already know the WPA password can intercept your handshake and then read all your traffic in real time.

That makes the passphrase choice for your Personal Hotspot as important as the passphrase you choose for your fixed-line Wi-Fi router at home.

Unfortunately, while Apple’s automatic passphrase generator for iOS may give the impression of “pronounceable randomness,” it actually gives a false sense of security because it is far too predictable.

→ Ironically, if iOS generated passcodes of only seven digits (for 10 million possible passcodes), you might consider it safer, if no more secure, since at least there would be no false sense of security. The limitation would be self-documenting.

What to do about it

The lessons we can learn from this are:

  • Algorithms which look cryptographically reasonable from a few sample runs may turn out to be completely flawed.
  • Community cryptographic testing and peer review are vitally important, so avoid proprietary algorithms if you can.
  • Spelling checkers aren’t supposed to be pseudrandom generators.
  • Anyone who knows your WPA key and is around when you connect to your network can decrypt your traffic in real time.
  • Anyone who is around when you connect and can sniff your traffic can attempt to crack the password and decrypt your traffic later.
  • Choose your own passphrase, and make it a good one, when using iOS’s Personal Hotspot.

Further information

We recently made a short video on the topic of personal Wi-Fi security.

We included a section giving you some practical and visual advice on how to choose and remember decent WPA Wi-Fi passphrases [click the Captions icon during playback for closed captions]:

Enjoy the video, and be careful out there!