Posing as a Valid Wi-Fi Access Point, a Hacker can Steal Corporate Passwords from Windows Phone

Over the last weekend, Microsoft issued a Security Advisory (2876146) suggesting that they are aware of a security issue that makes Windows Phone (versions 8 and 7.8) vulnerable to attack. In fact, based on the evidence of a vulnerability in PEAP-MS-CHAPv2 authentication, an attacker can compromise the entire corporate network after obtaining the victim's domain credentials. In short, the attacker uses a device to pose as a valid Wi-Fi access point. Windows Phone attempts to connect to the fake Wi-Fi network and exposes the domain credentials.

There is currently no patch available and no active attacks, but Microsoft is providing descriptive guidance to help curb the potential for unauthorized entry. In the Security Advisory, Microsoft details how to force Windows Phone 8 to require a certificate when connecting to a wireless access point.

Read the full guidance here: Microsoft Security Advisory (2876146)