Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk

Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.

Mathew J. Schwartz, Contributor

August 6, 2013

3 Min Read

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy (click image for larger view)

Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.

That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.

"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.

[ Careful, Android users. Read Scam Android Apps Plague Google Play. ]

Attackers wouldn't need to be in the proximity of corporate Wi-Fi access points to launch a related exploit. Rather, an attacker would only need to ensure that a targeted corporate user's Windows Phone -- be it at an airport, coffee shop or information security conference -- was within range of a rogue access point disguised to look like their legitimate corporate access point.

But don't expect to see a related security patch from Microsoft -- the problem isn't in the Windows Phone software. Rather, it stems from a cryptographic weakness in the Protected Extensible Authentication Protocol PEAP-MS-CHAPv2, which is used by Windows Phones for Wi-Fi Protected Access 2 (WPA2) wireless authentication.

"This is not a security vulnerability that requires Microsoft to issue a security update," said the company's security advisory. "This issue ... is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices."

As tweeted by F-Secure Labs security advisor Sean Sullivan, one of those Windows Phone configuration changes boils down to the following: "Automatically connect to Wi-Fi hotspots? Don't." That refers to the phones' advanced Wi-Fi settings menu "automatically connect to Wi-Fi hotspots" option; ensure it's unchecked. Sullivan also noted that -- unlike iOS -- Windows Phone users can "review and audit known networks," and thus disable any networks that shouldn't be trusted.

Microsoft offered two further "suggested actions" to mitigate the vulnerability, although the feasibility of one of them -- "turn off Wi-Fi in Windows Phone devices" -- is questionable, to say the least.

Better is Microsoft's recommendation that information security managers issue a root certificate to validate the corporate access point. For issuing the certificate, Microsoft suggested distributing it using a corporate mobile device management system, or emailing the certificate to Windows Phone users along with instructions.

In either case, "the certificate should have an easy-to-remember name; for instance, 'Contoso Corporate Root Certificate,'" said Microsoft. That's because once the certificate is on the device, users will have to use it, starting with "forgetting" the corporate access point in their Windows Phone settings, then logging into it again -- with their username and password -- as well as activating the "validate server certificate" setting, which requires that they select the relevant certificate for the access point.

After that, attackers won't be able to successfully spoof the corporate wireless access point to pilfer the Windows Phone users' network credentials, because whenever their Windows Phone attempts to connect to that corporate access point, its digital certificate must first be validated. Only after that happens will a user's username and password get transmitted, and a full Wi-Fi connection established.

Read more about:


About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights