A flaw in the way Windows Phones handle encryption and connect to Wi-Fi could leak valuable corporate credentials.
Microsoft has warned of a known vulnerability in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 Wi-Fi access.
To carry out the attack, a hacker could set up a fake Wi-Fi hotspot that would have the device automatically connect without user permissions, allowing them to grab the target’s encrypted data being sent from the Windows Phone. A flaw in the PEAP-MS-CHAPv2 protocol’s encryption could then be exploited to get at user credentials.
“Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” Microsoft wrote in its advisory.
“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.
“Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
Windows Phone 7.8 and Windows Phone 8 are affected, but not earlier versions of the mobile OS.
Instead of issuing a patch, Microsoft recommended using a certificate to verify a wireless access point before starting an authentication process from Windows Phones.
“A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process,” the tech titan added.
“This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is user name and password information sent to the authentication server.”
Do you know about Wi-Fi? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…