Microsoft warns Windows Phone users not to use WiFi -- wait, what!?
Windows Phone is a very closed system -- much like Apple's iOS. Because of this, users can comfortably use the operating system without fear of malware. However, this does not mean that the OS is free of vulnerabilities. Unfortunately, Microsoft has warned that Windows Phone 8 and 7.8 are vulnerable to a security weakness regarding Wi-Fi.
According to Microsoft, it is "...aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device". This is scary stuff!
The company further explains the vulnerability by saying, "...an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource".
Microsoft offers a solution by suggesting that a certificate be used to authenticate all access points. However, this is not practical; users want to access Wi-Fi without thinking about it -- sad but true. Also, the average user will simply not know how to do this.
Comically, Microsoft offers a second suggestion to prevent the Wi-Fi vulnerability from being exploited -- turning off Wi-Fi. Microsoft advises users, "In Settings, Wi-Fi, tap to toggle 'Wi-Fi networking' to Off". This reminds me of the old joke, where a patient tells a doctor that his arm hurts when he raises it above his head. The doctor offers a solution, "so, don't do that".
As a Windows Phone user I am not too concerned about the vulnerability. I've yet to meet another person using Windows Phone in public -- I don't think hackers are focused on the platform right now. Also Microsoft says it is "...not currently aware of active attacks or of customer impact at this time". Hopefully it stays that way.
Photo Credit: 3Dstock/Shutterstock