Microsoft: Windows Phone passwords can be accessed via rogue WiFi hotspot

Nokia's new Lumia 1020 is one of the phones affected by the Windows Phone 8 WiFi issue

It's never a good idea to connect any WiFi enabled device to an unsecured hotspot, but now owners of Windows Phone 7.8 and 8 smartphones now have an extra security issue to worry about. A newly discovered vulnerability in Microsoft's mobile OS could result in hackers obtaining the passwords from Windows Phone devices if they are connected to a rogue WiFi hotspot.

Microsoft issued a security advisory late on Sunday, stating they have become aware of an issue with the PEAP-MS-CHAPv2 protocol in Windows Phone. The advisory stated:

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

At the moment, Microsoft is unaware of any attacks that are currently using this method to steal passwords from Windows Phone devices. Microsoft will not issue a patch for the OS to plug this hole. Instead, the company says that phone owners should configure their devices so that they require a certificate to verify a WiFi hotspot before it begins the password login process; the security advisory has a step-by-step method to help owners configure their phones.

Source: Microsoft | Image via Nokia

Previous Story
A decade's worth of security breaches, visualized
Next Story
Samsung starts mass production of 3D V-NAND flash storage chips