Mobile
News
8/6/2013
11:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk

Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.

That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.

"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.

[ Careful, Android users. Read Scam Android Apps Plague Google Play. ]

Attackers wouldn't need to be in the proximity of corporate Wi-Fi access points to launch a related exploit. Rather, an attacker would only need to ensure that a targeted corporate user's Windows Phone -- be it at an airport, coffee shop or information security conference -- was within range of a rogue access point disguised to look like their legitimate corporate access point.

But don't expect to see a related security patch from Microsoft -- the problem isn't in the Windows Phone software. Rather, it stems from a cryptographic weakness in the Protected Extensible Authentication Protocol PEAP-MS-CHAPv2, which is used by Windows Phones for Wi-Fi Protected Access 2 (WPA2) wireless authentication.

"This is not a security vulnerability that requires Microsoft to issue a security update," said the company's security advisory. "This issue ... is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices."

As tweeted by F-Secure Labs security advisor Sean Sullivan, one of those Windows Phone configuration changes boils down to the following: "Automatically connect to Wi-Fi hotspots? Don't." That refers to the phones' advanced Wi-Fi settings menu "automatically connect to Wi-Fi hotspots" option; ensure it's unchecked. Sullivan also noted that -- unlike iOS -- Windows Phone users can "review and audit known networks," and thus disable any networks that shouldn't be trusted.

Microsoft offered two further "suggested actions" to mitigate the vulnerability, although the feasibility of one of them -- "turn off Wi-Fi in Windows Phone devices" -- is questionable, to say the least.

Better is Microsoft's recommendation that information security managers issue a root certificate to validate the corporate access point. For issuing the certificate, Microsoft suggested distributing it using a corporate mobile device management system, or emailing the certificate to Windows Phone users along with instructions.

In either case, "the certificate should have an easy-to-remember name; for instance, 'Contoso Corporate Root Certificate,'" said Microsoft. That's because once the certificate is on the device, users will have to use it, starting with "forgetting" the corporate access point in their Windows Phone settings, then logging into it again -- with their username and password -- as well as activating the "validate server certificate" setting, which requires that they select the relevant certificate for the access point.

After that, attackers won't be able to successfully spoof the corporate wireless access point to pilfer the Windows Phone users' network credentials, because whenever their Windows Phone attempts to connect to that corporate access point, its digital certificate must first be validated. Only after that happens will a user's username and password get transmitted, and a full Wi-Fi connection established.

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.