HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 14 MINUTES AGO.
You are here: Home / Microsoft/Windows / Wi-Fi Weakness in Windows Phone 8
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
AUGUST
06
2013
Relevant Products/Services is warning consumers with smartphones that sport the Windows Phone 7.8 and Windows 8 Relevant Products/Services operating systems that they could be open for attack.

Hackers could exploit a weakness in the Wi-Fi authentication process, known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to access the user's log-on credentials.

"In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device," the company said in a security advisory. "Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

Intercepting Encrypted Credentials

Here's how an attacker-controlled system could exploit the weakness: First, the system poses as a known Wi-Fi access point. This charade would cause the targeted device to automatically attempt to authenticate with the access point. That, in turn, would allow the attacker to intercept the victim's encrypted domain credentials.

At that point, an attacker could exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to grab the victim's domain credentials. Finally, those credentials could be used to authenticate the attacker to Relevant Products/Services resources, and the attacker could take any action that the user could take on the network.

We caught up with Kevin O'Brien, an Relevant Products/Services solution architect at CloudLock, to get his take on the exploit. He told us the pivot point is cryptographic weakness.

"We've seen this particular type of vulnerability before, including from Microsoft, whose ASP.NET framework had a similar issue a few years ago," O'Brien said. "We've seen it recently, in the now well-known Cryptocat exploit. And we'll see it again. 

As O'Brien sees it, the issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly and then released it to the market.

"What went wrong in the MS-CHAPv2 example here is that the protocol relies largely upon smoke and mirrors to appear confusing, either intentionally or due to a lack of understanding on the behalf of the original coders," O'Brien said. "As a result, the entire protocol is compromised, and it should cease to be used in favor of the far more robust open-source alternatives in the market today."

A Recipe for Mass Compromise

Mike Gross, Global Risk strategy director at 41st Parameter, told us the lesson: most mobile devices, by default, enable convenient access to known Wi-Fi and other networks, so users need to be aware of these settings and how they can protect themselves.

"While there are specific steps that businesses can take to protect their secure networks from unauthorized access, users will unfortunately still be vulnerable to attack unless they disable the option to automatically connect to known Wi-Fi networks -- something most consumers will not do because of the inconvenience involved in reconnecting every time they come home or walk into an airport," he said.

In many cases, Gross noted, a smartphone or tablet user may simply be strolling through his local airport where an attacker has set up a Wi-Fi hotspot mimicking that of the legitimate public Wi-Fi, using the airport code as a network ID and not requiring a password to connect. He called this scenario a recipe for mass-compromise, as mobile devices would likely connect to the known network without hesitation.

"Even if the Wi-Fi auto-join feature is disabled, consumers are not in the clear. They will likely still be prompted to connect to a Wi-Fi network and should be extra vigilant when traveling or in a public location where this type of network spoofing is possible," Gross said. "Smartphone Relevant Products/Services configurations and defaults are clearly set up with user convenience in mind, so consumers must take extra steps to protect themselves and the integrity of their mobile devices."

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN MICROSOFT/WINDOWS

NETWORK SECURITY SPOTLIGHT
The organization behind the Firefox Web browser, Mozilla, wants to see Web site encryption become standard practice, and it has laid out a two-part plan to help that happen.

NEWSFACTOR.COM
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.