Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.
That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.
"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."
Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.
Attackers wouldn't need to be in the proximity of corporate Wi-Fi access points to launch a related exploit. Rather, an attacker would only need to ensure that a targeted corporate user's Windows Phone -- be it at an airport, coffee shop or information security conference -- was within range of a rogue access point disguised to look like their legitimate corporate access point.
But don't expect to see a related security patch from Microsoft -- the problem isn't in the Windows Phone software. Rather, it stems from a cryptographic weakness in the Protected Extensible Authentication Protocol PEAP-MS-CHAPv2, which is used by Windows Phones for Wi-Fi Protected Access 2 (WPA2) wireless authentication.
"This is not a security vulnerability that requires Microsoft to issue a security update," said the company's security advisory. "This issue ... is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices."
As tweeted by F-Secure Labs security advisor Sean Sullivan, one of those Windows Phone configuration changes boils down to the following: "Automatically connect to Wi-Fi hotspots? Don't." That refers to the phones' advanced Wi-Fi settings menu "automatically connect to Wi-Fi hotspots" option; ensure it's unchecked. Sullivan also noted that -- unlike iOS -- Windows Phone users can "review and audit known networks," and thus disable any networks that shouldn't be trusted.
Microsoft offered two further "suggested actions" to mitigate the vulnerability, although the feasibility of one of them -- "turn off Wi-Fi in Windows Phone devices" -- is questionable, to say the least.
Better is Microsoft's recommendation that information security managers issue a root certificate to validate the corporate access point. For issuing the certificate, Microsoft suggested distributing it using a corporate mobile device management system, or emailing the certificate to Windows Phone users along with instructions.
In either case, "the certificate should have an easy-to-remember name; for instance, 'Contoso Corporate Root Certificate,'" said Microsoft. That's because once the certificate is on the device, users will have to use it, starting with "forgetting" the corporate access point in their Windows Phone settings, then logging into it again -- with their username and password -- as well as activating the "validate server certificate" setting, which requires that they select the relevant certificate for the access point.
After that, attackers won't be able to successfully spoof the corporate wireless access point to pilfer the Windows Phone users' network credentials, because whenever their Windows Phone attempts to connect to that corporate access point, its digital certificate must first be validated. Only after that happens will a user's username and password get transmitted, and a full Wi-Fi connection established.
InformationWeek Elite 100Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.