A security vulnerability has been located in Windows Phone, in the PEAP-MS-CHAPv2 wireless authentication scheme. This vulnerability allows attackers to gain access to users encrypted domain credentials, which could potentially give them access to sensitive corporate networks.
A security vulnerability has been located in Windows Phone, in the PEAP-MS-CHAPv2 wireless authentication scheme. It is this same scheme that allows Windows Phone devices to connect to WPA2 networks.
This vulnerability, which stems from a cryptographic weakness in the scheme, allows attackers to gain access to users encrypted domain credentials. These credentials could potentially give the attackers access to sensitive corporate networks.
The vulnerability can be exploited when users unwittingly log onto fake networks, made to look like ones that they belong to.
“An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim’s device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim’s encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim’s domain credentials.” warned the Microsoft advisory.
Oddly enough, Microsoft does not intend to patch this vulnerability. Rather, it simply advises users of Windows phones to require a certificate before joining wireless networks, and includes instructions for enforcing this in the phone settings.
Unfortunately for Microsoft, this does not shine positively on the reputation of Windows phone, which has suffered from insecurities before this time. For example, last year, when researchers discovered a security flaw in the MS-CHAPv2 scheme, enabling attackers to break encryption used by hundreds of services.
Some may say this is unsurprising, since Microsoft Windows has been susceptible to a vast number of malware and vulnerabilities in the past – but hackers especially target Microsoft Windows, because it is the operating system used by the vast majority of PC users.
But in the case of the Windows phone, this attention is unwarranted. Microsoft is clearly the underdog in the smartphone market – so what is their excuse this time?
Source: Ars Technica