Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk

Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.

That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.

"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.

[ Careful, Android users. Read Scam Android Apps Plague Google Play. ]

Attackers wouldn't need to be in the proximity of corporate Wi-Fi access points to launch a related exploit. Rather, an attacker would only need to ensure that a targeted corporate user's Windows Phone -- be it at an airport, coffee shop or information security conference -- was within range of a rogue access point disguised to look like their legitimate corporate access point.

But don't expect to see a related security patch from Microsoft -- the problem isn't in the Windows Phone software. Rather, it stems from a cryptographic weakness in the Protected Extensible Authentication Protocol PEAP-MS-CHAPv2, which is used by Windows Phones for Wi-Fi Protected Access 2 (WPA2) wireless authentication.

"This is not a security vulnerability that requires Microsoft to issue a security update," said the company's security advisory. "This issue ... is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices."

As tweeted by F-Secure Labs security advisor Sean Sullivan, one of those Windows Phone configuration changes boils down to the following: "Automatically connect to Wi-Fi hotspots? Don't." That refers to the phones' advanced Wi-Fi settings menu "automatically connect to Wi-Fi hotspots" option; ensure it's unchecked. Sullivan also noted that -- unlike iOS -- Windows Phone users can "review and audit known networks," and thus disable any networks that shouldn't be trusted.

Microsoft offered two further "suggested actions" to mitigate the vulnerability, although the feasibility of one of them -- "turn off Wi-Fi in Windows Phone devices" -- is questionable, to say the least.

Better is Microsoft's recommendation that information security managers issue a root certificate to validate the corporate access point. For issuing the certificate, Microsoft suggested distributing it using a corporate mobile device management system, or emailing the certificate to Windows Phone users along with instructions.

In either case, "the certificate should have an easy-to-remember name; for instance, 'Contoso Corporate Root Certificate,'" said Microsoft. That's because once the certificate is on the device, users will have to use it, starting with "forgetting" the corporate access point in their Windows Phone settings, then logging into it again -- with their username and password -- as well as activating the "validate server certificate" setting, which requires that they select the relevant certificate for the access point.

After that, attackers won't be able to successfully spoof the corporate wireless access point to pilfer the Windows Phone users' network credentials, because whenever their Windows Phone attempts to connect to that corporate access point, its digital certificate must first be validated. Only after that happens will a user's username and password get transmitted, and a full Wi-Fi connection established.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll