Apple iOS prior 7, Mobile Hotspot generateDefaultPassword WPA2 Password credentials management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.5 | $0-$5k | 0.00 |
A vulnerability was found in Apple iOS (Smartphone Operating System). It has been rated as critical. Affected by this issue is the function generateDefaultPassword of the component Mobile Hotspot. The manipulation as part of a WPA2 Password leads to a credentials management vulnerability. Using CWE to declare the problem leads to CWE-255. Impacted is confidentiality, integrity, and availability. CVE summarizes:
The WifiPasswordController generateDefaultPassword method in Preferences in Apple iOS 6 and earlier relies on the UITextChecker suggestWordInLanguage method for selection of Wi-Fi hotspot WPA2 PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack that leverages the insufficient number of possible passphrases.Creating a mobile wifi hotspot allows to use a default password. These passwords are generated out of a list of 1842 entries. The distribution is not randmon, which makes the password perdictable.
The weakness was presented 06/17/2013 by Andreas Kurtz, Daniel Metz and Felix Freiling with Friedrich-Alexander University as Technical Report CS-2013-02 as not defined advisory (Website). The advisory is shared for download at www1.cs.fau.de. The public release happened without coordination with the vendor. This vulnerability is handled as CVE-2013-4616 since 06/18/2013. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1552. The advisory points out:
Within one of the first steps, the method generateDefaultPassword() of the WifiPasswordController class triggers the overall initialization (Frame #17 in Listing 1). This method invokes a frontend method of the Apple spell checking service, located in the UIKit framework. The method suggestWordInLanguage() of the class UITextChecker (Frame #16) is normally used by Apple to enhance the user experience and to predict user input. Whenever a user enters some text, words are suggested appearing above the keyboard based on the letters a user already typed in. This method is re-used to generate easy pronounceable hotspot passwords that can be easily remembered. Next, the ProofReader framework, a private frameworkand the core of the iOS spell checking service is utilized to pick a single word in a specific length range from this English-language dictionary file (Frames #15 to #13). According to the relevant disassembly output, only words in the length of 4 to 6 characters are selected. (…) During static analysis, we revealed that a four digit random number is appended to the word picked from the dictionary.
A public exploit has been developed by Andreas Kurtz/Daniel Metz/Felix Freiling and been published immediately after the advisory. The exploit is available at www1.cs.fau.de. It is declared as proof-of-concept. As 0-day the estimated underground price was around $100k and more.
Upgrading to version 7, eliminates this vulnerability. It is possible to mitigate the problem by adding an authentication mechanism. The problem might be mitigated by replacing the product with Android, Windows Phone or BlackBerry as an alternative. The best possible mitigation is suggested to be adding authentication. It is advised to set a user-defined password.
lists.owasp.org is providing further details. See 5610, 8303, 8792 and 8797 for similar entries.
Product
Type
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.4VulDB Meta Temp Score: 8.5
VulDB Base Score: 9.4
VulDB Temp Score: 8.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Credentials managementCWE: CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Andreas Kurtz/Daniel Metz/Felix Freiling
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: AuthenticationStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Upgrade: iOS 7,
Alternative: Android/Windows Phone/BlackBerry
Timeline
06/17/2013 🔍06/17/2013 🔍
06/18/2013 🔍
06/18/2013 🔍
06/18/2013 🔍
09/19/2013 🔍
05/17/2021 🔍
Sources
Vendor: apple.comAdvisory: Technical Report CS-2013-02
Researcher: Andreas Kurtz, Daniel Metz, Felix Freiling
Organization: Friedrich-Alexander University
Status: Not defined
Confirmation: 🔍
CVE: CVE-2013-4616 (🔍)
SecurityTracker: 1029054
Secunia: 54886 - Apple iOS Multiple Vulnerabilities, Highly Critical
OSVDB: 94329
scip Labs: https://www.scip.ch/en/?labs.20150917
Misc.: 🔍
See also: 🔍
Entry
Created: 06/18/2013 10:09Updated: 05/17/2021 08:13
Changes: 06/18/2013 10:09 (64), 03/20/2019 08:20 (15), 05/17/2021 08:13 (3)
Complete: 🔍
Committer: olku
No comments yet. Languages: en.
Please log in to comment.