Windows Phone vulnerable to credential-stealing WiFi attack


Everybody knows (or at least, very much should) that it’s not a great idea to connect to unknown and untrusted WiFi networks. After all, they’re your conduit to the internet, and anything you send through them, unless properly secured, could in theory be intercepted by the administrator of that access point. This week, however, we learn of a new WiFi vulnerability that can strike Windows Phone users even when they’re trying to be vigilant about which networks they allow their phones to use.

The problem deals with how domain credentials are utilized, which are prevalent in corporate settings. An attacker can set up a fake AP, mimicking a legitimate one you’ve told your phone to willingly connect to. Then, by using a cryptographic attack on the authentication process, the attacker could remotely extract those domain credentials from your phone, and in turn give him or herself access to that corporate network.

Somewhat surprisingly, there are no plans to issue a patch for this vulnerability. Instead, Microsoft’s work-around is directing users to configure their phones to only connect to access points in possession of a verified digital signature (using the “Validate Server Certificate” WiFi option). That should prevent them from attempting to authenticate with a rogue AP in the first place.

Source: Microsoft
Via: WPCentral

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck

Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen’s first mobile device was a 624 MHz Dell Axim X30, which he’s convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he’s not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits

Read more about Stephen Schenck!