Microsoft warns of Wi-Fi-related flaw that can expose Windows Phone credentials

Microsoft has warned Windows Phone users of a security weakness in a Wi-Fi authentication protocol that, ironically, was designed to make Wi-Fi more secure.

In an Aug. 4 security advisory, the company said this known vulnerability could let attackers obtain, decrypt and reuse the domain credentials of a handset running Windows Phone 7.8 or 8, but only if the phone uses a specific authentication method: PEAP-MS-CHAPv2, for Wi-Fi Protected Access 2 (WPA2) wireless authentication.

From July 2012: Tools released at Defcon can crack widely used PPTP encryption in under a day

Follow our continuing coverage of this year's DefCon in Las Vegas:

Malware-as-a-service blossoms in Russia, vendor research finds 

Android one-click Google authentication method puts users, businesses at risk 

Researchers reveal methods behind car hack at Defcon 

The full name of the method, which combines two protocols, is Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2. It's apparently the Microsoft protocol that is the source of the vulnerability. The alert says that "Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

It's unclear how widely used MS-CHAPv2 is among Windows Phone users in particular, or among enterprise deployments in general. It was introduced by Microsoft in Windows NT 4.0 Service Pack 4. It has been widely used as the main authentication method for many of today's PPTP virtual private network (VPN) clients.

Though its weaknesses have been known in the security community since 1999, they were decisively exposed a year ago at DefCon 2012. David Hulton and Moxie Marlinspike together demonstrated and released two tools that could reduce the handshake's security to a single DES (Data Encryption Standard) key, and then crack it in less than a day via -- a commercial online password cracking service. Marlinspike posted his detailed analysis at that site.

According to the latest Microsoft alert, to exploit this vulnerability in Windows Phone devices, the attacker impersonates a known Wi-Fi access point. A victim handset automatically tries to authenticate to this fake. The attacker intercepts the victim's encrypted domain credentials. Then, he exploits the cryptographic weakness in MS-CHAPv2 to decrypt the credentials. After that, the attacker impersonates the victim, re-using the valid credentials to authenticate himself to network resources. Once cleared, the attacker has that victim's full set of on-network privileges.

There are two actions to counter this weakness, according to Microsoft, but one of them is to shut off the Wi-Fi radio in the phone.

The other is to configure a Windows Phone 8 device to require a certificate that verifies the Wi-Fi access point making sure the access point is a legitimate one and not a phony - before launching the authentication process between access point and phone. To do that, the IT group creates a "root certificate" used to verify the access point, and emails it to all users.

Then it's up to the user to walk through the next steps:

+ Delete the previously configured Wi-Fi connection

+ In "Settings, Wi-Fi," tap "Advanced"

+ Tap and hold over the selected Wi-Fi network, and choose delete

+ Create a new connection and enable server certificate validation

+ In Wi-Fi settings, tap on the enterprise Wi-Fi network access point which will open a Sign-in page

+ Enter username and password; toggle "Validate Server Certificate" to On; tap to choose a certificate; in the list of certificates to select, pick the root certificate issued from Corporate IT (for example, "Contoso Corporate Root Certificate"), and tap Done

John Cox covers wireless networking and mobile computing for Network World.Twitter:

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Defconconsumer electronicsGoogleMicrosoftNetworkingsecuritysmartphoneswirelessanti-malware

More about GoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place