Dan Goodin warns us (for Ars Technica) that a New attack cracks iPhone autogenerated hotspot passwords in seconds. In brief, if you use the mobile hotspot feature on your iPhone, you’re advised to override the password that iOS autogenerates to secure your connection. The problem is that the password is apparently generated by appending a randomized 4-digit numeric string to a small selection of words drawn from a small and easily obtained dictionary. It’s not that a casual snooper is likely to guess it, but a research paper by Kurtz, Freiling and Metz suggests a suitably equipped and prepared attacker can implement a brute-force attack that could be effective in less than 50 seconds.
Not quite calling for panic stations, but not an imaginary threat either, since a large part of the attack could be carried out offline.
Small Blue-Green World
ESET Senior Research Fellow