CIO Today HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR SUNDAY FEBRUARY 19

Close Search Box
CIO Today
ENTERPRISE HARDWARE
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
Posted August 6, 2013
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
Next Story
EARLIER
Crossbar Shakes Up Memory Market with New RRAM
THIS STORY
Microsoft Warns of Windows Phone 8 Wi-Fi Weakness
Next Story
LATER
Some Xerox WorkCentre Copiers Alter Numbers on Scans
YOU ARE HERE:   HOME arrow ENTERPRISE HARDWARE arrow THIS STORY
NEWS OPS

By Jennifer LeClaire. Updated August 6, 2013 2:33PM

SHARE

ALSO SEE

Microsoft is warning consumers with smartphones that sport the Windows Phone 7.8 and Windows 8 mobile operating systems that they could be open for attack.

Hackers could exploit a weakness in the Wi-Fi authentication process, known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to access the user's log-on credentials.

"In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device," the company said in a security advisory. "Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

Intercepting Encrypted Credentials

Here's how an attacker-controlled system could exploit the weakness: First, the system poses as a known Wi-Fi access point. This charade would cause the targeted device to automatically attempt to authenticate with the access point. That, in turn, would allow the attacker to intercept the victim's encrypted domain credentials.

At that point, an attacker could exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to grab the victim's domain credentials. Finally, those credentials could be used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on the network.

We caught up with Kevin O'Brien, an enterprise solution architect at CloudLock, to get his take on the exploit. He told us the pivot point is cryptographic weakness.

"We've seen this particular type of vulnerability before, including from Microsoft, whose ASP.NET framework had a similar issue a few years ago," O'Brien said. "We've seen it recently, in the now well-known Cryptocat exploit. And we'll see it again. 

As O'Brien sees it, the issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly and then released it to the market.

"What went wrong in the MS-CHAPv2 example here is that the protocol relies largely upon smoke and mirrors to appear confusing, either intentionally or due to a lack of understanding on the behalf of the original coders," O'Brien said. "As a result, the entire protocol is compromised, and it should cease to be used in favor of the far more robust open-source alternatives in the market today."

A Recipe for Mass Compromise

Mike Gross, Global Risk strategy director at 41st Parameter, told us the lesson: most mobile devices, by default, enable convenient access to known Wi-Fi and other networks, so users need to be aware of these settings and how they can protect themselves.

"While there are specific steps that businesses can take to protect their secure networks from unauthorized access, users will unfortunately still be vulnerable to attack unless they disable the option to automatically connect to known Wi-Fi networks -- something most consumers will not do because of the inconvenience involved in reconnecting every time they come home or walk into an airport," he said.

In many cases, Gross noted, a smartphone or tablet user may simply be strolling through his local airport where an attacker has set up a Wi-Fi hotspot mimicking that of the legitimate public Wi-Fi, using the airport code as a network ID and not requiring a password to connect. He called this scenario a recipe for mass-compromise, as mobile devices would likely connect to the known network without hesitation.

"Even if the Wi-Fi auto-join feature is disabled, consumers are not in the clear. They will likely still be prompted to connect to a Wi-Fi network and should be extra vigilant when traveling or in a public location where this type of network spoofing is possible," Gross said. "Smartphone software configurations and defaults are clearly set up with user convenience in mind, so consumers must take extra steps to protect themselves and the integrity of their mobile devices."

Tell Us What You Think
Comment:

Name:

MORE IN ENTERPRISE HARDWARE

Next Article >

NETWORK SECURITY SPOTLIGHT
This Spotlight
Is Brought to You By:

INSIDE CIO TODAY NETWORK SITES SERVICES BENEFITS