Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk

Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.

That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.

"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.

[ Careful, Android users. Read Scam Android Apps Plague Google Play. ]

Attackers wouldn't need to be in the proximity of corporate Wi-Fi access points to launch a related exploit. Rather, an attacker would only need to ensure that a targeted corporate user's Windows Phone -- be it at an airport, coffee shop or information security conference -- was within range of a rogue access point disguised to look like their legitimate corporate access point.

But don't expect to see a related security patch from Microsoft -- the problem isn't in the Windows Phone software. Rather, it stems from a cryptographic weakness in the Protected Extensible Authentication Protocol PEAP-MS-CHAPv2, which is used by Windows Phones for Wi-Fi Protected Access 2 (WPA2) wireless authentication.

"This is not a security vulnerability that requires Microsoft to issue a security update," said the company's security advisory. "This issue ... is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices."

As tweeted by F-Secure Labs security advisor Sean Sullivan, one of those Windows Phone configuration changes boils down to the following: "Automatically connect to Wi-Fi hotspots? Don't." That refers to the phones' advanced Wi-Fi settings menu "automatically connect to Wi-Fi hotspots" option; ensure it's unchecked. Sullivan also noted that -- unlike iOS -- Windows Phone users can "review and audit known networks," and thus disable any networks that shouldn't be trusted.

Microsoft offered two further "suggested actions" to mitigate the vulnerability, although the feasibility of one of them -- "turn off Wi-Fi in Windows Phone devices" -- is questionable, to say the least.

Better is Microsoft's recommendation that information security managers issue a root certificate to validate the corporate access point. For issuing the certificate, Microsoft suggested distributing it using a corporate mobile device management system, or emailing the certificate to Windows Phone users along with instructions.

In either case, "the certificate should have an easy-to-remember name; for instance, 'Contoso Corporate Root Certificate,'" said Microsoft. That's because once the certificate is on the device, users will have to use it, starting with "forgetting" the corporate access point in their Windows Phone settings, then logging into it again -- with their username and password -- as well as activating the "validate server certificate" setting, which requires that they select the relevant certificate for the access point.

After that, attackers won't be able to successfully spoof the corporate wireless access point to pilfer the Windows Phone users' network credentials, because whenever their Windows Phone attempts to connect to that corporate access point, its digital certificate must first be validated. Only after that happens will a user's username and password get transmitted, and a full Wi-Fi connection established.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll