Threat Post has an article about some researchers who have found that iOS 6 default mobile hotspot random passwords are not so random after all (there are 1,842 different words) and therefore not too hard to brute force. Additonally...

“It should be noted that all generated keys are only valid for the lifetime of a single session and that generation of those keys only relies on the PSK,” the paper said. “This implies that the security level of the whole mobile hotspot depends on the quality of the passphrase.”

The original paper "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots" is here [pdf]. The title says it all - this is a true example of Usability vs. Security, and as too often seems to be the case, security loses.

Best option - use a long, custom non-dictionary password....

 I recently came across a interesting article about PIN codes on iOS devices where an app developer pulled the login PIN numbers for his app to do some statistical analysis.

His findings are far from encouraging - or surprising - with (you guessed it!) '1234' taking the top spot, followed by '0000' (seriously...why bother with a passcode at all?).

This is pretty much in line with what i've blogged before about passwords. Of course if Mrs Shepherd-Barron hadn't gotten her way, the most popular PIN would probably match the most popular password...'123456'!

On passwords, a developer has taken all the recently exposed accounts and provided a nice web interface to allow you to see if your password may have been exposed. If your'e worried, run your login ID through the checker and see. The site doesn't ask for passwords, but considering many site usernames are email addresses - use it at your own risk!

On better Security news, the DSD (an Australian Government three-letter Agency) has released a preliminary guide to hardening iOS [pdf]. A more in-depth guide is expected in September 2011.

It's been widely reported that an Australian man has developed the new iphone virus that 'rickrolls' owners of jailbroken iphones.

The virus spreads via ssh using the iphone's default password of 'alpine'. Normally ssh access is not available on a standard iphone, but enabling access is a requirement of jailbreaking the iphone to get around restrictions placed on the device by Apple.

This comes hot on the heels of a ransonware scam with a dutch hacker holding jailbroken iphones 'hostage' for €5 which uses the same method to gain access to jailbroken phones. (The dutch hacker has since apparently stopped asking for money and has now provided instructions on how to undo his changes).

Does this represent a big security hole for Apple? Not really, as both attacks only affect jailbroken iphones. If you are jailbreaking an iphone, or modifying any device against the manufacturer's instructions, then the onus of providing a secure device has passed from the manufacturer to the end user - something which most end users probably don't think about.

While both 'hackers' have claimed the release of their viruses was a educational 'wake up call' for users with jailbroken iphones to ensure they change their default passwords, the simplicity of the attacks could mean something more sinister is on the horizon.
The pair of them may be in hot water as even a relatively harmless change like rickrolling can have unintended legal consequences (the attempted extortion from the dutchman aside).

If you have a jailbroken iphone, change the default password asap!

*edit* I just came acoss this post from Sophos which has a screenshot of some of the virus source code: