Microsoft warns of Windows Phone Wi-Fi flaw

Vulnerability in the Wi-Fi authentication protocol meant to secure Windows Phone devices could enable attackers to decrypt and reuse domain credentials of handsets running the mobile operating system.

To exploit the weakness, an attacker could deploy a rogue Wi-Fi hotspot masquerading as a known or trusted access point that would case the “target device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim’s encrypted domain credentials,” a Microsoft Security Advisory on Sunday warned.

“The stolen credentials can then be re-used to authenticate the attacker to a network resource and the attacker could take any action that the user could take on that network resource.”

The software company said the weakness is in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2).

The protocol is used by Windows Phone for WPA2 wireless authentication.

Microsoft is now aware of any attacks using the flaw but the company said it continues to monitor the situation.

The guard against the exploit, Microsoft suggests use either of the following actions:

1) Turn of the Wi-Fi radio of the phone: From the phone settings menu, toggle Wi-Fi networking to the “off” position

2) Require a verification certificate from a wireless access pint before starting the authentication process from Windows Phone 8 devices. Windows Phone 8 devices can be configured to validate network access points. This helps in making sure you are connecting to your company’s network

Corporate IT departments must issue root certificates that can be used to validate the wireless access point. This certificate could have already been provisioned via the IT managed mobile device management (MDM) solution, said Microsoft.


Android malware ‘out of control,’ says Fortinet
Nokia releases 41MP Lumia 1020 Windows Phone

For instruction on how to configure a Windows Phone 8 to require certificate verifications, follow these instructions from Microsoft.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now