Microsoft warns of Windows Phone Wi-Fi flaw

Vulnerability in the Wi-Fi authentication protocol meant to secure Windows Phone devices could enable attackers to decrypt and reuse domain credentials of handsets running the mobile operating system.

To exploit the weakness, an attacker could deploy a rogue Wi-Fi hotspot masquerading as a known or trusted access point that would case the “target device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim’s encrypted domain credentials,” a Microsoft Security Advisory on Sunday warned.

“The stolen credentials can then be re-used to authenticate the attacker to a network resource and the attacker could take any action that the user could take on that network resource.”

The software company said the weakness is in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2).

The protocol is used by Windows Phone for WPA2 wireless authentication.

Microsoft is now aware of any attacks using the flaw but the company said it continues to monitor the situation.

The guard against the exploit, Microsoft suggests use either of the following actions:

1) Turn of the Wi-Fi radio of the phone: From the phone settings menu, toggle Wi-Fi networking to the “off” position

2) Require a verification certificate from a wireless access pint before starting the authentication process from Windows Phone 8 devices. Windows Phone 8 devices can be configured to validate network access points. This helps in making sure you are connecting to your company’s network

Corporate IT departments must issue root certificates that can be used to validate the wireless access point. This certificate could have already been provisioned via the IT managed mobile device management (MDM) solution, said Microsoft.

RELATED CONTENT

Android malware ‘out of control,’ says Fortinet
Nokia releases 41MP Lumia 1020 Windows Phone

For instruction on how to configure a Windows Phone 8 to require certificate verifications, follow these instructions from Microsoft.