Microsoft is warning users that their Windows Phone 8 and Windows Phone 7.8 devices could be easily tricked into revealing login credentials for corporate Wi-Fi access points secured with WPA2 protection. The vulnerability appears to build on a known security weakness in a Microsoft authentication protocol as well as the way Windows Phones connect to WPA2 networks.
How it works
Let’s say Bob works for Acme Inc. and you use a Nokia Lumia 920 as his work phone. Every day Bob’s phone automatically connects to the company’s Wi-Fi network, called ACME1, using WPA2 security.
Whenever Bob’s phone sees a Wi-Fi network called ACME1, the handset assumes that this is his work network and attempts to make a connection.
Now, let’s say that two blocks down the street there’s a café where a lot of ACME employees grab a latte on their lunch breaks. All a hacker would have to do is set-up a wireless router called ACME1 secured with WPA2 and wait for a Windows Phone to connect to the rogue access point.
Once Bob walks in with his Nokia 920 with the Wi-Fi turned on, his phone will try to connect to the bogus ACME1 Wi-Fi network. During the phony authentication process, the hacker will be able to intercept the encrypted domain credentials stored in Bob’s phone.
Now, that wouldn’t be a problem if Microsoft was using a cryptographic standard known to be resistant to attack, but Windows Phone uses an authentication protocol called PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2) that packs some key cryptological weaknesses, which are exploited by this vulnerability.
So after the hacker nabs Bob’s login credentials, the baddie can simply capitalize on the weak encryption to obtain Bob’s credentials and then login to the real ACME1 with the same user privileges as Bob.
No patch incoming
Microsoft says it has no plans for a patch to fix this issue as the problem is the fundamentally weak cryptography used in PEAP-MS-CHAPv2. (On the plus side, Microsoft says it doesn’t know of any examples of the weakness being actively used in the wild.)
As a workaround, Microsoft is advising corporate IT departments to require Windows Phone devices to validate a Wi-Fi access point by checking its root certificate before attempting to connect. The other option, Microsoft says, is to turn off your phone’s Wi-Fi capabilities. Anyone who needs to learn how to secure their Windows Phone device can find detailed instructions on Microsoft’s Website.
Via Ars Technica