Posing as a Valid Wi-Fi Access Point, a Hacker can Steal Corporate Passwords from Windows Phone

Posing as a valid Wi-Fi access point and attacker can use Windows Phone to steal domain credentials and gain access to the corporate network.

Rod Trent

August 6, 2013

1 Min Read
Posing as a Valid Wi-Fi Access Point, a Hacker can Steal Corporate Passwords from Windows Phone

Over the last weekend, Microsoft issued a Security Advisory (2876146) suggesting that they are aware of a security issue that makes Windows Phone (versions 8 and 7.8) vulnerable to attack. In fact, based on the evidence of a vulnerability in PEAP-MS-CHAPv2 authentication, an attacker can compromise the entire corporate network after obtaining the victim's domain credentials. In short, the attacker uses a device to pose as a valid Wi-Fi access point. Windows Phone attempts to connect to the fake Wi-Fi network and exposes the domain credentials.

There is currently no patch available and no active attacks, but Microsoft is providing descriptive guidance to help curb the potential for unauthorized entry. In the Security Advisory, Microsoft details how to force Windows Phone 8 to require a certificate when connecting to a wireless access point.

Read the full guidance here: Microsoft Security Advisory (2876146)

 

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like