Vulnerability in the Wi-Fi authentication protocol meant to secure Windows Phone devices could enable attackers to decrypt and reuse domain credentials of handsets running the mobile operating system.
To exploit the weakness, an attacker could deploy a rogue Wi-Fi hotspot masquerading as a known or trusted access point that would case the “target device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim’s encrypted domain credentials,” a Microsoft Security Advisory on Sunday warned.
The software company said the weakness is in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2).
The protocol is used by Windows Phone for WPA2 wireless authentication.
Microsoft is now aware of any attacks using the flaw but the company said it continues to monitor the situation.
The guard against the exploit, Microsoft suggests use either of the following actions:
1) Turn of the Wi-Fi radio of the phone: From the phone settings menu, toggle Wi-Fi networking to the “off” position
2) Require a verification certificate from a wireless access pint before starting the authentication process from Windows Phone 8 devices. Windows Phone 8 devices can be configured to validate network access points. This helps in making sure you are connecting to your company’s network
Corporate IT departments must issue root certificates that can be used to validate the wireless access point. This certificate could have already been provisioned via the IT managed mobile device management (MDM) solution, said Microsoft.
For instruction on how to configure a Windows Phone 8 to require certificate verifications, follow these instructions from Microsoft.