With all the "stay away from geeks with GPU clusters on their back" and "just keep a close eye on your connections", there seem to be some serious misconceptions in this thread. Based on the information in this report, the following would be a more plausible scenario.
Let's say I go by 'Mr. Hacker', and am bored one afternoon. That afternoon, I decide to go to a place where I know mobile hotspots are in high use; like a train station. I pull out my cell phone to monitor wireless traffic and capture a WPA handshake that takes place when a wireless connection first authenticates. Oh look....there you are turning on your laptop and fiddling with your phone...any second now. Bingo...we have our WPA handshake to get us moving.
I then send your WPA handshake down to my retired bitcoin miner at home with more than enough GPU power to hash away at lightning speed. Less than a minute later, I now have your cracked password, with your derived PMK and PTK. So what to do next? Connect to your phone now that I know your password? Heck no! Only an idiot would do that! With your PMK, PTK, and spoofing your laptop's MAC address...as far as your phone knows...I AM YOUR LAPTOP! No new connection required.
What to do now? Well...let's first try to SSH and see if that bad boy was jailbroken. If so...I can do anything I want with it! Or maybe I'll just capture all your traffic to analyze for later. You would be shocked to know how many username and passwords are transmitted over unencrypted POST vars! If I'm really sophisticated, maybe I'll play a man-in-the-middle attack when you go to check your bank account. The possibilities are truly endless!
Finally someone gets it....thanks for explaining it for us.....
Doesn't it take a minute or so before iOS indicates acceptance of a hotspot password? With several hundreds thousand candidate passwords to check, that's an awfully long time wait around. It might take 50 seconds to generate the candidate passwords but it'll likely take days to find the one that works on any given hotspot (do people generally run hotspots from their iOS devices for that length of time).
Am I missing something here?
The vulnerability detailed in this paper has nothing to do with brute forcing a password via authentication attempts as you are suggesting. It has to do with deriving the original PSK (password) by hashing possible PSKs to match a captured WPA handshake. Normally this is a very tedious process because of the vast numbers of potential PSKs to sort through. However, this paper highlights that iOS has a high probability of selecting from a very small pool of possible default PSKs, making it easier to crack.
Shouldn't there be a way for the login function to shut down after say 5 wrong guesses in a row? And then give the guesses a time out for 5 minutes? And the time outs get radically longer after say the 3rd go round? I think if you try and randomly log into an iphone, it does this kind of defense. It would basically kill the option of a brute force attack.
Comments
With all the "stay away from geeks with GPU clusters on their back" and "just keep a close eye on your connections", there seem to be some serious misconceptions in this thread. Based on the information in this report, the following would be a more plausible scenario.
Let's say I go by 'Mr. Hacker', and am bored one afternoon. That afternoon, I decide to go to a place where I know mobile hotspots are in high use; like a train station. I pull out my cell phone to monitor wireless traffic and capture a WPA handshake that takes place when a wireless connection first authenticates. Oh look....there you are turning on your laptop and fiddling with your phone...any second now. Bingo...we have our WPA handshake to get us moving.
I then send your WPA handshake down to my retired bitcoin miner at home with more than enough GPU power to hash away at lightning speed. Less than a minute later, I now have your cracked password, with your derived PMK and PTK. So what to do next? Connect to your phone now that I know your password? Heck no! Only an idiot would do that! With your PMK, PTK, and spoofing your laptop's MAC address...as far as your phone knows...I AM YOUR LAPTOP! No new connection required.
What to do now? Well...let's first try to SSH and see if that bad boy was jailbroken. If so...I can do anything I want with it! Or maybe I'll just capture all your traffic to analyze for later. You would be shocked to know how many username and passwords are transmitted over unencrypted POST vars! If I'm really sophisticated, maybe I'll play a man-in-the-middle attack when you go to check your bank account. The possibilities are truly endless!
Finally someone gets it....thanks for explaining it for us.....Quote:
Originally Posted by softeky
Doesn't it take a minute or so before iOS indicates acceptance of a hotspot password? With several hundreds thousand candidate passwords to check, that's an awfully long time wait around. It might take 50 seconds to generate the candidate passwords but it'll likely take days to find the one that works on any given hotspot (do people generally run hotspots from their iOS devices for that length of time).
Am I missing something here?
The vulnerability detailed in this paper has nothing to do with brute forcing a password via authentication attempts as you are suggesting. It has to do with deriving the original PSK (password) by hashing possible PSKs to match a captured WPA handshake. Normally this is a very tedious process because of the vast numbers of potential PSKs to sort through. However, this paper highlights that iOS has a high probability of selecting from a very small pool of possible default PSKs, making it easier to crack.
Hahaha