Windows Phone 8 Crypto Weakness Equals Wi-Fi Risk
Microsoft warns information security managers to validate access points or risk attackers exploiting weak crypto to steal network credentials, gain access.
Windows Phone security alert: Unless corporate wireless access points are validated using a digital certificate, an attacker could spoof the network, steal users' network credentials and gain commensurate access to network resources.
That security warning was issued Sunday by Microsoft, which said that a weakness in a Wi-Fi authentication protocol used by all Windows Phone 7.8 and 8 devices could be exploited by an attacker to steal the encrypted network-access credentials stored on the device.
"To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials," said a Microsoft security advisory. "An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."
Microsoft said that to date, it's seen no attacks in the wild that exploit this vulnerability.
... Read full story on InformationWeekPost a comment to the original version of this story on InformationWeek
