Editorials

Analysis of Microsoft's Q4 2014 results

Editorials

Xbox Video and Music are getting 'streamlined' says Nadella

Surface

Video of Microsoft's secret labs offers a look into the world of Surface

Windows Phone News

5.8 million Lumia smartphones sold this last quarter

General News

Microsoft generates $23.38 billion in revenue for FY14 Q4

General News

Microsoft focuses on design to unify separate platforms

General News

Microsoft to hold one big IT conference in May 2015 as they replace TechEd [Update]

Microsoft News

Microsoft 'betrayed' Finland, says Finnish finance minister of layoffs

Editorials

Putting the Microsoft job cuts into perspective

Microsoft News

Stephen Elop explains how recent job cuts will affect Microsoft's handset division

Microsoft News

Microsoft to cut 18,000 jobs in the next year

Microsoft News

Microsoft layoffs allegedly happening tomorrow, will be largest in company history

Microsoft News

Microsoft widens its renewable energy commitment with wind farm deal in Illinois

Microsoft News

'Microsoft needs to change', says CEO Satya Nadella

Microsoft News

Microsoft set to lay off large amounts of staff in upcoming organizational changes

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Rumors

Is Microsoft readying a Lumia device that runs Android?

Microsoft News

Bought new Windows hardware? Trade in your old devices with Microsoft's Buy Back scheme

57

Microsoft warns of a rogue Wi-Fi vulnerability on our Windows Phones

Windows Phone Wifi

Microsoft has issued an advisory warning concerning a Windows Phone vulnerability when connecting to rogue Wi-Fi networks.

The issue at hand rests in a Wi-Fi authentication scheme (PEAP-MS-CHAPv2) which our Windows Phones use to access protected wireless networks. Cryptographic weaknesses in the technology can allow an attacker to recover a Windows Phone encrypted domain credentials (passwords) when it connects to a rogue access point.

For those who aren't up on their security, a rogue access point is a wireless access point that has been installed on a secure company network without authorization or has been created by a hacker to accommodate attacks.

Microsoft is not expected to issue an update to correct this issue but instead recommends users require a certificate to verify a wireless access point before starting the authentication process from our Windows Phones.

Microsoft has detailed instructions on how to require the certification in their advisory that entails, deleting the Wi-Fi network from your Windows Phone and then re-establish the network connection after receiving the root certificate from the network's Corporate IT.

Source: Microsoft via: ARS Technica; Thanks, everyone, for the tip!

4
loading...
13
loading...
26
loading...
0
loading...

Comments

There are 57 comments. Sign in to comment

Jazmac says:

No problem on my end. As a long time hacker/geek, I don't connect to wifi just because its there as a rule. But thanks for the heads up.

icyrock1 says:

Same. Don't trust sources you don't know. 

adrian1338 says:

the lamest excuse for security problems. just next with use brain.exe

adrian1338 says:

The Wifi on WP8 is just a pain anyways.. really no problem with more problems adding on top :)

juliusgy says:

What pains do you have with the WiFi?

Jazmac says:

That is my question.
 

adrian1338 says:

Hmm.. hidden ssid .. Automatic connection to same wifi name in other areas lika starbucks free wifi.. information about connection..wifi turn off not on after battery saver

matthoms says:

So are my home and college WiFi safe to use? Cause those are the only ones I use for WiFi

Kellzea says:

Yes, they are fine

icyrock1 says:

Home, yes. College? Maybe. If your College has a "hacking" club like mine does (which I'm a member of), you might not want to risk it. :P

TonyDedrick says:

I hope college networks are fine. My wife works at a university and its a live on campus position. So our internet is the college's network.

icyrock1 says:

Depends. Do you have your own Router (that student's have to get for most dorms) or do you use the public WiFi? If you have your own Router and are connected to the internet from it, you should be fine.

In other countries there are college WiFi networks? Ah, I'm jealous :o

MadSci2 says:

Well that's nice. They won't fix it, and all WE have to do is become IT specialists. FAIL!

Kellzea says:

It doesn't need "fixing" it does not affect 90% of users. Its only an issue for people using secure networks that are not currently using the proper authentification.

explosive0 says:

Oh whatever. If this was Apple, you all will be crying. It freaking needs fixing.

sectime says:

I think you need to reread the article. 

kinaton says:

They won't fix on 7.8. Its a dead Os.

So what does this mean, exactly? To no longer use WiFi on the phone???

Kellzea says:

No, it means do nothing. This does not affect the normal user. Only secure business servers.

If you work for somewhere with the type of network its talking about, then you would already be using the correct authentication

DrewT3 says:

My understanding from the thread at ArsTechnica is that this affects users who connect to corporate WiFi networks that use PEAP-MS-CHAPv2
The problem seems to be twofold:
1. WP8 will try to connect to an access point that has the same name as one of your "known networks" so anyone could spoof your wifi and have your phone automatically try to connect. I haven't tested this but the other thread reports it is true.
2. If your wifi is using PEAP-MS-CHAPv2 the default is your phone will not check for a server certificate and will send your domain credentials in a way the spoofed wifi network could read. The solution is to change the default setting to require checking for the server certificate.
So the scenario would be:
You normally connect to your corporate WiFi network that uses PEAP-MS-CHAPv2 and have it saved as a known network that is automatically connected when you are in range. Your corporate network is called "BigCoWiFi". You set up your wifi connection with the default settings. A bad guy sets up a wifi access point at your favorite lunch spot also called "BigCoWiFi" and your phone tries to connect automatically and sends your domain credentials across in a way the bad guy can read.
I got this info from http://arstechnica.com/security/2013/08/windows-phones-susceptible-to-password-theft-when-connecting-to-rogue-wi-fi/ but people on that thread don't seem to be in agreement on all the specifics.
 

Thank you for the explanation!

ahhh.  Thank you.

rodneyej says:

This is off subject, but has anyone ever thought that MS might be planning on having full Instagram integration in WP8.1? Maybe, 8.1 will integrate Instagram in the same way Facebook is on our phones... This is a possibility❕

samcode7 says:

Carry on now...

xaeryan says:

Rodneye's high again.

rodneyej says:

Lol!.. Again❔.. So, you're saying I came down at some point❔

Kellzea says:

For once, you may actually have something here. Instagram are backing a new third party app. That tells me that they are interested in wp. So they are either a) lazy. Or b) working with ms on something.

And what a coup that would be. Even the verge would have to write that up as a win.

rodneyej says:

For once I may actually have something here... Lol❕.. Kellzea, like I always tell NIST... "You are getting on my last set of nerves"... :-)

jasqid says:

I think I may see pigs fly before I see instagram show up in my WP accounts list.

rodneyej says:

It's amazing that some ducks can fly...

HansTj says:

This dude has just won the most coveted "Joker of the Century" award!

rodneyej says:

What a idiot❕

HansTj says:

Reading the article's comment section is so much fun though lol.

rodneyej says:

That's because of idiots like me.

HansTj says:

? Why are you even calling yourself idiot? Btw, did you post any comments in that Nokia Lumia 1020 article? Seeing quite a lot of WP supporters in the article makes me feel quite relieved hehe.

rodneyej says:

Lol❕❕.. Yeah, I slandered the journalist so bad, I'll probably get band from that site for life.. I mean,, I talked about his mother, blatantly cursed him out several times, and I was just plainly being a all out dick to this guy.. My language was COMPLETELY unacceptable❕.. I feel real good now.

HansTj says:

OMG! I just got a light bulb in my head. I just realize that my Joker of the Century comment could be very easily understood as referring to you lol. In case there is misunderstanding, the "Joker of the Century" refers to that dumb Nokia Lumia 1020 reviewer. Please pardon my ignorance, Sir!

Oakdale Dude says:

In other words, next time you're at at the local NoTell Motel with your little
something-something on the side, don't use the motel's complimentary WiFi to check on whether your wife e-mailed you cause something's husband might hack in and end up  emailing your wife for you.

GregP8 says:

George, I think this article should have had a bit more detail so as to not spook the network un-initiated.
 
As I understand the security bulletin, this is only a danger when you access SECURED (password-protected) networks. If a hacker is spoofing the network you normally access with secure credentials, you might be vulnerable. The work-around attached to the bulletin allows you to be sure that the password-protected network you are accessing is really the network you think it is before your credentials (passwords) get transmitted.
 
THIS WILL NOT AFFECT PUBLICLY ACCESSIBLE WI-FI NETWORKS, at least as I understand it. Correct me if I am wrong.

Dont worry, the NSA doesn't need WiFi to hack you.

topleya says:

It will take another 18months before they fix it though

AneticsUK says:

Yeah try 10 years! RADUIS authentication (not wpa/wpa2) has has this vunerability since server 2003

mikroland says:

"windows phone encrypted domain credentials"... How is this possible when windows phone doesn't even support a domain?

AneticsUK says:

Theyre talking about RADIUS authentication, most normal ppl use wpa/wpa2 so it wont affect them

tollonodre says:

Well, this just sucks.  I got my Lumia specifically so I could connect at work.  I emailed IT about getting a certificate and of course they have no idea how to get it, let alone send it to me so I can connect.
GRRRRR

Osama204 says:

Same situation here, my phone is close to useless at work

AneticsUK says:

We need to be very clear that This issue ONLY affects you if you use RADIUS for authentication, secondly, this is nothing new, rogue ap's and RADIUS have always been vunerable, shame on you WPCentral "scaremongering"

biboyflip says:

Yes, I believe this must be clarified properly. This vulnerability involves corporate WIFI that uses domain credentials to authenticate, different from the authentications used in usual home and public networks. PEAP-MSCHAPv2 is the most commonly used authentication in corporate networks for wireless connection, and the proper implementation of this is to use "CA certificates" validation. Every BYOD is vulnerable to this, not just WP. iOS and Android device using PEAP-MSCHAPv2 without certifacate validation is also prone to this. Its just that MS is responsible enough to publish this warning.
 

Meh... when it comes to my phone I tend to use my 3G exclusively.  I tend to get a good connection where ever.