Windows Phones susceptible to password theft when connecting to rogue Wi-Fi

Windows Phone logoSmartphones running Microsoft's Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday.

The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol. Cryptographic weaknesses in the Microsoft-developed technology allow attackers to recover a phone's encrypted domain credentials when it connects to a rogue access point. By exploiting vulnerabilities in the MS-CHAPv2 cryptographic protocol, the adversary could then decrypt the data.

"An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim's encrypted domain credentials," the Microsoft advisory warned. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials."

The advisory comes a little more than a year after researchers devised an attack against the MS-CHAPv2 cryptographic scheme that made it trivial to break the encryption used by hundreds of anonymity and security services. The attack described in Monday's advisory appears to build off that exploit by combining it with behavior in Windows Phone that causes devices to automatically associate with a rogue networks without first validating the its digital certificate. When a handset attempts the CHAPv2 authentication, the operator of the rogue network can exploit the cryptographic weaknesses to recover the username and password.

"If correct, that should mean a pretty seamless attack against wireless enterprise credentials used in most corporate environments," Moxie Marlinspike, the pseudonymously named researcher who devised last year's attack, said of the latest exploit. Researcher David Hulton also helped develop last year's attack.

Microsoft doesn't intend to issue an update to patch the hole. Instead, company officials recommend users require a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices. The advisory contains instructions for configuring a Windows Phone device to require a certificate verifying the trustworthiness of wireless access point. The advisory also suggests turning off Wi-Fi connectivity in smartphone when not needed. Microsoft said Monday's advisory was prompted by a public report that describes a known weakness in MS-CHAP.

Source: Ars Technica

Tags: break, hackers, OSes, Wi-Fi, Windows Phone 7

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)