Microsoft issued a security advisory on Sunday, warning of a potential data leakage issue for Windows Phone users connecting to Wi-Fi hotspots.
Hackers love to set traps for wireless users promising free Wi-Fi in airports, restaurants and other public areas. Once a mobile device connects to the rogue network, the attacker is often able to sit and sniff traffic in a classic man-in-the-middle attack.
In this case, a weakness in the Wi-Fi authentication protocol used by Windows phones for WPA2 authentication could allow an attacker to steal credentials from a connected device. Microsoft said in its advisory that it is not aware of any active attacks, just a public report on the weakness in the protocol.
The problem is in the PEAP-MS-CHAPv2 protocol, Microsoft said.
“To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim’s encrypted domain credentials,” the advisory said. “An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim’s domain credentials.”
Once those credentials have been obtained, the hacker could authenticate as the victim and view, alter or download network resources.
Microsoft said Windows Phone 8 and 7.8 are affected by the problem, which cannot be patched. Instead, it must be addressed via configuration chances on the devices as well as the wireless access points, Microsoft said.
Microsoft did suggest mitigations, including configuring a Windows Phone to require a digital certificate in order to validate the wireless access point before starting the authentication process. “This can be done by validating a certificate that’s on your company’s server,” the advisory said. “Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”
Users may configure their phones to enable server certificate validation once they’ve received a root certificate from their company’s IT department. Users must open the enterprise Wi-Fi access point, sign in, then toggle on Validate Server Certificate, and then select the root certificate provided by their company.
Image courtesy Okubax.