Earlier this month, Microsoft announced that a new security vulnerability had been discovered in smart phones that ran Microsoft’s Windows Phone operating system.
The vulnerability appears when a smart phone using the Windows Phone operating system attempts to connect to a unsecured or rogue Wi-Fi access point.
Windows Phone Operating System Security Vulnerability
The security vulnerability in smart phones running the Windows Phone operating system arises from the use of a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2. Windows Phones use this authentication scheme to access wireless networks running the security protocol Wi-Fi Protected Access, version 2.
The phone becomes vulnerable when it attempts access a rogue access point and sends out the associated encrypted domain credentials. The credentials are then exploited using the vulnerability in Microsoft’s MS-CHAPv2 encryption that allows decryption of user’s data. Any phone that automatically polls access points and does not ask for security credential verification would be vulnerable.
This attack vector is believed to be built upon an attack devised by researchers more than a year ago. In this project, researchers learned of a way to attack the MS-CHAPv2 cryptographic scheme. The attack made the process of breaking MS-CHAPv2 trivial creating a significant vulnerability in data secured with this protocol.
Microsoft has decided to not update, repair, or patch the cryptography associated with the Windows Phone operating system security vulnerability. Instead, Microsoft issued an advisory insisting that consumer’s take steps to protect their phone from Microsoft’s mistake.
Secure Your Windows Phone
The Microsoft advisory that detailed the extent of their Windows Phone security vulnerability also suggested a simple fix that would protect Windows Phone users.
Users are asked to enable wireless access point certificate verification on each phone that uses the Windows Phone 8 operating system. Microsoft also suggest that users disable Wi-Fi connectivity during periods in which the Windows Phone does not need Wi-Fi.