A flaw in the way Windows Phones handle encryption and connect to Wi-Fi could leak valuable corporate credentials.
Microsoft has warned of a known vulnerability in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 Wi-Fi access.
To carry out the attack, a hacker could set up a fake Wi-Fi hotspot that would have the device automatically connect without user permissions, allowing them to grab the target’s encrypted data being sent from the Windows Phone. A flaw in the PEAP-MS-CHAPv2 protocol’s encryption could then be exploited to get at user credentials.
“Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” Microsoft wrote in its advisory.
“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.
“Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
Windows Phone 7.8 and Windows Phone 8 are affected, but not earlier versions of the mobile OS.
Instead of issuing a patch, Microsoft recommended using a certificate to verify a wireless access point before starting an authentication process from Windows Phones.
“A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process,” the tech titan added.
“This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is user name and password information sent to the authentication server.”
Do you know about Wi-Fi? Try our quiz!
Microsoft faces formal EU antitrust charges over videoconferencing app Teams after concessions to European Commission…
Workers at New Jersey Apple Store vote against joining union as post-pandemic labour drive at…
Microsoft-backed OpenAI releases new AI model GPT-4o with voice conversation capability, desktop app and updated…
SpaceX prepares fourth Starship test flight, launches more Starlink satellites, shows EVA suit for commercial…
SpaceX and its contractors have left construction bills unpaid in Texas, angering many smaller suppliers,…
US to triple domestic chipmaking capacity and control 30 percent of advanced chips by 2032…
