57

Microsoft warns of a rogue Wi-Fi vulnerability on our Windows Phones

Windows Phone Wifi

Microsoft has issued an advisory warning concerning a Windows Phone vulnerability when connecting to rogue Wi-Fi networks.

The issue at hand rests in a Wi-Fi authentication scheme (PEAP-MS-CHAPv2) which our Windows Phones use to access protected wireless networks. Cryptographic weaknesses in the technology can allow an attacker to recover a Windows Phone encrypted domain credentials (passwords) when it connects to a rogue access point.

For those who aren't up on their security, a rogue access point is a wireless access point that has been installed on a secure company network without authorization or has been created by a hacker to accommodate attacks.

Microsoft is not expected to issue an update to correct this issue but instead recommends users require a certificate to verify a wireless access point before starting the authentication process from our Windows Phones.

Microsoft has detailed instructions on how to require the certification in their advisory that entails, deleting the Wi-Fi network from your Windows Phone and then re-establish the network connection after receiving the root certificate from the network's Corporate IT.

Source: Microsoft via: ARS Technica; Thanks, everyone, for the tip!

-
loading...
-
loading...
-
loading...
-
loading...

Reader comments

Microsoft warns of a rogue Wi-Fi vulnerability on our Windows Phones

57 Comments

No problem on my end. As a long time hacker/geek, I don't connect to wifi just because its there as a rule. But thanks for the heads up.

Hmm.. hidden ssid .. Automatic connection to same wifi name in other areas lika starbucks free wifi.. information about connection..wifi turn off not on after battery saver

Home, yes. College? Maybe. If your College has a "hacking" club like mine does (which I'm a member of), you might not want to risk it. :P

I hope college networks are fine. My wife works at a university and its a live on campus position. So our internet is the college's network.

Depends. Do you have your own Router (that student's have to get for most dorms) or do you use the public WiFi? If you have your own Router and are connected to the internet from it, you should be fine.

It doesn't need "fixing" it does not affect 90% of users. Its only an issue for people using secure networks that are not currently using the proper authentification.

No, it means do nothing. This does not affect the normal user. Only secure business servers.

If you work for somewhere with the type of network its talking about, then you would already be using the correct authentication

My understanding from the thread at ArsTechnica is that this affects users who connect to corporate WiFi networks that use PEAP-MS-CHAPv2
The problem seems to be twofold:
1. WP8 will try to connect to an access point that has the same name as one of your "known networks" so anyone could spoof your wifi and have your phone automatically try to connect. I haven't tested this but the other thread reports it is true.
2. If your wifi is using PEAP-MS-CHAPv2 the default is your phone will not check for a server certificate and will send your domain credentials in a way the spoofed wifi network could read. The solution is to change the default setting to require checking for the server certificate.
So the scenario would be:
You normally connect to your corporate WiFi network that uses PEAP-MS-CHAPv2 and have it saved as a known network that is automatically connected when you are in range. Your corporate network is called "BigCoWiFi". You set up your wifi connection with the default settings. A bad guy sets up a wifi access point at your favorite lunch spot also called "BigCoWiFi" and your phone tries to connect automatically and sends your domain credentials across in a way the bad guy can read.
I got this info from http://arstechnica.com/security/2013/08/windows-phones-susceptible-to-password-theft-when-connecting-to-rogue-wi-fi/ but people on that thread don't seem to be in agreement on all the specifics.
 

This is off subject, but has anyone ever thought that MS might be planning on having full Instagram integration in WP8.1? Maybe, 8.1 will integrate Instagram in the same way Facebook is on our phones... This is a possibility❕

For once, you may actually have something here. Instagram are backing a new third party app. That tells me that they are interested in wp. So they are either a) lazy. Or b) working with ms on something.

And what a coup that would be. Even the verge would have to write that up as a win.

For once I may actually have something here... Lol❕.. Kellzea, like I always tell NIST... "You are getting on my last set of nerves"... :-)

? Why are you even calling yourself idiot? Btw, did you post any comments in that Nokia Lumia 1020 article? Seeing quite a lot of WP supporters in the article makes me feel quite relieved hehe.

Lol❕❕.. Yeah, I slandered the journalist so bad, I'll probably get band from that site for life.. I mean,, I talked about his mother, blatantly cursed him out several times, and I was just plainly being a all out dick to this guy.. My language was COMPLETELY unacceptable❕.. I feel real good now.

OMG! I just got a light bulb in my head. I just realize that my Joker of the Century comment could be very easily understood as referring to you lol. In case there is misunderstanding, the "Joker of the Century" refers to that dumb Nokia Lumia 1020 reviewer. Please pardon my ignorance, Sir!

In other words, next time you're at at the local NoTell Motel with your little
something-something on the side, don't use the motel's complimentary WiFi to check on whether your wife e-mailed you cause something's husband might hack in and end up  emailing your wife for you.

George, I think this article should have had a bit more detail so as to not spook the network un-initiated.
 
As I understand the security bulletin, this is only a danger when you access SECURED (password-protected) networks. If a hacker is spoofing the network you normally access with secure credentials, you might be vulnerable. The work-around attached to the bulletin allows you to be sure that the password-protected network you are accessing is really the network you think it is before your credentials (passwords) get transmitted.
 
THIS WILL NOT AFFECT PUBLICLY ACCESSIBLE WI-FI NETWORKS, at least as I understand it. Correct me if I am wrong.

"windows phone encrypted domain credentials"... How is this possible when windows phone doesn't even support a domain?

Well, this just sucks.  I got my Lumia specifically so I could connect at work.  I emailed IT about getting a certificate and of course they have no idea how to get it, let alone send it to me so I can connect.
GRRRRR

We need to be very clear that This issue ONLY affects you if you use RADIUS for authentication, secondly, this is nothing new, rogue ap's and RADIUS have always been vunerable, shame on you WPCentral "scaremongering"

Yes, I believe this must be clarified properly. This vulnerability involves corporate WIFI that uses domain credentials to authenticate, different from the authentications used in usual home and public networks. PEAP-MSCHAPv2 is the most commonly used authentication in corporate networks for wireless connection, and the proper implementation of this is to use "CA certificates" validation. Every BYOD is vulnerable to this, not just WP. iOS and Android device using PEAP-MSCHAPv2 without certifacate validation is also prone to this. Its just that MS is responsible enough to publish this warning.