Microsoft has warned that a vulnerability in Windows Phone operating systems could allow hackers to access your login credentials.
The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol.
Cryptographic weaknesses in the technology can allow attackers to gain access to users encrypted domain credentials. These credentials could potentially give the attackers access to sensitive corporate networks.
The bulletin, advisory 2876146, says:
To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.
Microsoft does not intend to patch this vulnerability. Microsoft has not received any reports of this vulnerability being used to steal corporate data, passwords or breach a network to date. Rather, it simply advises users of Windows phones to require a certificate before joining wireless networks, and includes instructions for enforcing this in the phone settings.
