Windows Phone Vulnerability

Posted: August 7, 2013 in Vulnerabilities
Tags:

Microsoft has warned that vulnerability in Windows Phone operating systems could allow hackers to access your login credentials.

The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol.

Cryptographic weaknesses in the technology can allow attackers to gain access to users encrypted domain credentials. These credentials could potentially give the attackers access to sensitive corporate networks.

The bulletin, advisory says:

http://technet.microsoft.com/en-us/security/advisory/2876146

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim’s encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim’s domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Microsoft does not intend to patch this vulnerability. Microsoft has not received any reports of this vulnerability being used to steal corporate data, passwords or breach a network to date. Rather, it simply advises users of Windows phones to require a certificate before joining wireless networks, and includes instructions for enforcing this in the phone settings.

Source : THN

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s