A flaw in the way Windows Phones handle encryption and connect to Wi-Fi could leak valuable corporate credentials.
Microsoft has warned of a known vulnerability in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 Wi-Fi access.
To carry out the attack, a hacker could set up a fake Wi-Fi hotspot that would have the device automatically connect without user permissions, allowing them to grab the target’s encrypted data being sent from the Windows Phone. A flaw in the PEAP-MS-CHAPv2 protocol’s encryption could then be exploited to get at user credentials.
“Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” Microsoft wrote in its advisory.
“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.
“Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
Windows Phone 7.8 and Windows Phone 8 are affected, but not earlier versions of the mobile OS.
Instead of issuing a patch, Microsoft recommended using a certificate to verify a wireless access point before starting an authentication process from Windows Phones.
“A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process,” the tech titan added.
“This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is user name and password information sent to the authentication server.”
Do you know about Wi-Fi? Try our quiz!
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
