Microsoft Warns Of Windows Phone Password Snooping Danger
Windows Phones could leak corporate network passwords, Microsoft warns
A flaw in the way Windows Phones handle encryption and connect to Wi-Fi could leak valuable corporate credentials.
Microsoft has warned of a known vulnerability in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 Wi-Fi access.
Attacking Windows Phone
To carry out the attack, a hacker could set up a fake Wi-Fi hotspot that would have the device automatically connect without user permissions, allowing them to grab the target’s encrypted data being sent from the Windows Phone. A flaw in the PEAP-MS-CHAPv2 protocol’s encryption could then be exploited to get at user credentials.
“Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” Microsoft wrote in its advisory.
“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.
“Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
Windows Phone 7.8 and Windows Phone 8 are affected, but not earlier versions of the mobile OS.
Instead of issuing a patch, Microsoft recommended using a certificate to verify a wireless access point before starting an authentication process from Windows Phones.
“A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process,” the tech titan added.
“This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is user name and password information sent to the authentication server.”
Do you know about Wi-Fi? Try our quiz!