Some rather smart hackers have managed to figure out the dictionary that the iPhone uses to generate its default password for internet sharing.
In their paper, "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" by Andreas Kurtz, Felix Freiling, and Daniel Metz, the authors explained that they honed the process so that it took a single AMD Radeon HD 6990 GPU only 52 seconds to crack the password, and custom built box with 4 AMD Radeon HD 7970 only 24 seconds.
Once cracked, the encryption key could be used to piggyback on the phone’s hotspot’s bandwidth, stage a man-in-the-middle attack for eavesdropping, and get access to files stored on the device.
The iPhone uses a combination of a dictionary word and number by default, but interestingly Windows Phone, which only uses an 8 digit number, may be even more vulnerable.
The authors conclude:
"The results of our analysis have shown that the mobile hotspot feature of smart devices increases the attack surface in several ways," the team concludes. "As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future."
Windows Phone users who want to mitigate against this attack in the future should not use the default 8 digit password but go to Setup on the internet sharing page and change the password there to a strong password which is not a dictionary word.
Read more detail at the Register here.