Microsoft: Windows Phone passwords can be accessed via rogue WiFi hotspot

Nokia's new Lumia 1020 is one of the phones affected by the Windows Phone 8 WiFi issue

It's never a good idea to connect any WiFi enabled device to an unsecured hotspot, but now owners of Windows Phone 7.8 and 8 smartphones now have an extra security issue to worry about. A newly discovered vulnerability in Microsoft's mobile OS could result in hackers obtaining the passwords from Windows Phone devices if they are connected to a rogue WiFi hotspot.

Microsoft issued a security advisory late on Sunday, stating they have become aware of an issue with the PEAP-MS-CHAPv2 protocol in Windows Phone. The advisory stated:

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

At the moment, Microsoft is unaware of any attacks that are currently using this method to steal passwords from Windows Phone devices. Microsoft will not issue a patch for the OS to plug this hole. Instead, the company says that phone owners should configure their devices so that they require a certificate to verify a WiFi hotspot before it begins the password login process; the security advisory has a step-by-step method to help owners configure their phones.

Source: Microsoft | Image via Nokia

Report a problem with article
Previous Story

A decade's worth of security breaches, visualized

Next Story

Samsung starts mass production of 3D V-NAND flash storage chips

15 Comments

Commenting is disabled on this article.

This doesn't affect 99% of normal users. It's only an issue when there's an additional challenge in place and the 802.1X authentication protocol is using PEAP-MS-CHAPv2 to authenticate the user to RADIUS or IAS.

If your organization is using this extra layer (most users use WPA2-PSK). They'll know how to handle this to get it secured.

CTFD

Don't allow connections if the CA cert isn't validated on the desktop. But its not as if these devices have group policy ?

There are tools for Windows Phone in the enterprise, but it's not done through GPOs. There's an enterprise management tool that you can use to remotely wipe devices and other things, but it's no where near as feature rich as what is offered through GP.

Read this, it gives you a broad outline of what's possible using MS's tools for WP8 devices or 3rd party software and/or appliances.
http://www.microsoft.com/en-us...nload/details.aspx?id=36831

Not a Windows Phone issue, read the source article. John at his finest again trolling against Microsoft.

Um..the source article is a Microsoft security advisory which clearly lists the affected software as Windows 7.8 and 8...

Edited by John Callaham, Aug 6 2013, 3:27pm :

You do realize that the "MS" in "PEAP-MS-CHAPv2" stands for Microsoft, right?

The source article clearly states that it affects Windows Phone. While it does affect other devices it is Microsoft's responsibility to fix it because it's only in their version of the protocol.

j2006 said,
Not a Windows Phone issue, read the source article. John at his finest again trolling against Microsoft.

Reading is fundamental...

Try reading the article.

Like others have said this isn't a WP issue. Any device using MS_CHAPv2 is vulnerable to this exploit. Just be aware of rouge hotspots. That should be common practice.

Yeah, this is an MS-CHAPv2 issue, NOT a Windows Phone issue. If you connected to the same hotspot with domain credentials on an Android or iOS device bad guys would get the same info.

So this is a vulnerability on WP7.8 & WP8 but you can only use the certificate method on WP8, WP7.8 advice is to turn WiFi off!

Surely if someone is spoofing WiFi hotspots to obtain your passwords then this would affect a lot more devices than just Windows Phones?

swayton said,
So this is a vulnerability on WP7.8 & WP8 but you can only use the certificate method on WP8, WP7.8 advice is to turn WiFi off!

Surely if someone is spoofing WiFi hotspots to obtain your passwords then this would affect a lot more devices than just Windows Phones?


Yes, this exploit exists for pretty much any device connecting to a WPA2 wireless access point. That's why you don't ignore certificate warnings and you only connect when you're certain that you should expect the SSID wherever you're trying to connect.