Windows Phones open to hackers when connecting to rogue Wi-Fi

Windows Phones open to hackers when connecting to rogue Wi-Fi

Summary: Microsoft has warned that a vulnerability in Windows Phone operating systems could allow hackers to access your passwords when connected to rogue Wi-Fi hotspots.

Credit: Nokia

A new Microsoft security advisory warns that smartphones running the Windows Phone operating system could be susceptible to infiltration when connecting to a rogue Wi-Fi hotspot.

A rogue access point, also known as a rogue AP, is a Wi-Fi access point installed on a network, operating without authorization and not under the control of a systems administrator. If installed, rogue APs could allow anyone to connect to your network through Wi-Fi, and may not adhere to WLAN security policies.

The bulletin, advisory 2876146, says that hackers could exploit a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2). The protocol is used in Windows Phones for WPA2 wireless authentication.

The tech giant says that an attacker can exploit a weakness in the protocol when the mobile device attempts to automatically authenticate with a hotspot posing as Wi-Fi. Once the attempt to connect is made -- without user permission -- a hacker can intercept the victim's encrypted domain credentials before decrypting and lifting the data.

"To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point," the advisory warns. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."

Microsoft has not received any reports of this vulnerability being used to steal corporate data, passwords or breach a network to date. There is no security patch available for this; instead, Microsoft suggests that you enable the certificate verification process before executing the PEAP-MS-CHAPv2 protocol to connect to Wi-Fi hotspots.

The bulletin contains instructions for configuring your Windows Phone versions 7.8 or 8 to fix the security flaw. Older versions are not affected.

Topics: Security, Malware, Microsoft, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • impossible!

    We were told by all the usual suspects, that Windows Phone is very secure. Somebody is making this stuff up!

    Oh, and by the way whoever invented the wording in this article, such as "a hotspot posing as Wi-Fi" made me have good laugh. And the definition of "rogue AP"... Thanks! :-)
    • Actually...

      The Phone never gets hacked! If you read the statement again...
      "Those credentials could then be re-used to authenticate the attacker to network Resources"

      So the network gets hacked (not the phone), and its fixed by using digital certificates (as all Corporate networks should do).

      But its still something needing to getting fixed in the OS, but more a worry for the Network Admins than the Phone User...
      • Let me get this right

        Windows phone is secure, it can't be harmed (yet) but it will leave your entire network open to attack.

        Gotcha, WP is secure.
        Little Old Man
        • No

          You have it wrong.
        • Neither device nor network is hacked

          As I understand the article, the vulnerability is that the communication between the device and the network can be intercepted and certain passwords can be decoded from it (if the mentioned protocol is used for authentication). Nothing is attacked directly.
          Matjaž Miler
          • And yet

            If the headline read "iPhone open to hackers when connecting to rogue Wi-Fi" you would be all blaming Apple for this. There would be no "well it's the protocol used and the device is not attacked directly" excuses.
          • No, Microsoft would be blamed again.

            As in "How did M$ push its horribly unsafe protocol onto iPhones? Down with Ballmer!" and similar.
            Matjaž Miler
        • Not quite

          The authentication protocol itself is insecure. Windows phone supports said protocol.

          As I understand it, any device (not just Windows Phone) that supports PEAP-MS-CHAPv2 would be susceptible to this kind of attack. Network admins should either use a different authentication protocol or make sure that every device connecting to the network is set to verify certificates.
          Joel Spadin
          • Or..

            Eliminate rogue/unauthorized hot spots in their corporate environment?
    • Well, just like Windows Phone is magical and has "no lag"..

      it's the same case with security. Windows Phone was made in fantasy land where there's zero lag, everything launches quickly, and security flaws don't exist. Well, at least the fanboys think so, but to hell with fanboys.

      P.S.: WP does have pretty less lag, but with all the slow-ass animations and app loading speeds it's not actually the greatest, just fools a few people with all the smooth animations.
      • It would be nice...

        ...if Android could "fool" people this way too. Don't you think?
        Ehsan Irani
    • This has nothing to do with the phone

      This is a good ol' man-in-the-middle attack on an unsecured protocol.

      Just because the phone can connect to a network with an unsecured protocol doesn't make the phone itself unsecured. If that is the case your Mac is just as unsecured when you connected to a network/website with a MD5 SSL connection.
      • Re: MD5 SSL connection

        Care to enlighten us what an "MD5 SSL connection" is?
  • Effects iOS and Android too?

    I read on another site that this effects iOS and Android too? Since it is a protocol flaw, that would make since. Glad to see Microsoft being proactive with a solution, regardless.
    • Oh really? Link please...

      According to this article:
      "The bulletin, advisory 2876146, says that hackers could exploit a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2)."

      So the weakness is in the "MICROSOFT Challenge Handshake Authentication Protocol", which is a new protocol to me. I've never needed to connect a Linux-based device to a WPA2 access point using that protocol before.
      • Well others do...

        Apparently this has been an option for Android devices (and a source of compatibility issues) since at least 2011...

        So tell us again how Android devices are not affected by this bug?

        Especially when Wikipedia also mentions that there is a security problem if you don't use digital Certificates:
        • I don't know if there is the same bug on android or not

          But your link is from April 2011! Are you sure the problem is still there?!

          Anyway this is not about android and it's kinda irrelevant for this discussion if others have it or not, It's also irrelevant to try to make others look better based on this article alone.
          • Protocol not software

            this is a protocol bug, which means any device using it, without using certficate validation, is vulnerable.

            Microsoft cannot however give out security warnings for iOS and Android without their relevant attorneys jumping up and down and sending out lawsuits by the container load.
          • Then avoid the protocol.

            Personally, I've never even heard of PEAPv0_with_EAP-MSCHAPv2 before. Does anyone offer it as a default?
          • Well, seems it has been popular...

            Not that Wikipedia is the best source of info, but it has a good introduction at . You'll find all kinds of info on PEAPv0_with_EAP-MSCHAPv2 with a quick search. Although based on an older connection method, it apparently has been used quite a bit. And if you don't authenticate via CA, seems it is easy to crack (which was the point of the article, and yes, not specifically Windows Phone).