Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

Posted by timothy on from the is-there-a-workaround-for-the-workaround? dept.

Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."

15 of 146 comments (clear)

  1. Why can't it be patched? by metrix007 · · Score: 5, Insightful

    If it can be fixed through manual configuration changes, why can't a patch make those same configuration changes?

    --
    If you ignore ACs because they are anonymous - you're an idiot.
    1. Re:Why can't it be patched? by i+kan+reed · · Score: 5, Funny

      Because the NSA won't let them?

    2. Re:Why can't it be patched? by Anonymous Coward · · Score: 5, Informative

      because the root certificate being installed is for the internal domain and Microsoft doesn't have that certificate.

      please note: this is only for PEAP using domain credentials. not standard WPA2-PSK that just about everyone uses.

    3. Re:Why can't it be patched? by Anonymous Coward · · Score: 4, Insightful

      watch as your actual-factual answer languishes at 0 while the "funny" comment about the NSA gets +5 Insightful.

    4. Re:Why can't it be patched? by aaron44126 · · Score: 4, Informative

      It says in the article that configuration changes must be made on the WiFi access points as well.

    5. Re:Why can't it be patched? by fuzzyfuzzyfungus · · Score: 4, Informative

      If it can be fixed through manual configuration changes, why can't a patch make those same configuration changes?

      The configuration change is enabling server certificate validation. If the network is set up for this, all is well: just like SSL, the server demanding the credentials from the client connecting to the network has a certificate, which the client can verify before attempting to authenticate. Spoofing becomes effectively impossible without access to a suitably signed cert.

      However, if the authentication server is not set up to use a certificate, or is set up to use a certificate not signed by one of the CAs in the client's list of trusted authorities, enabling server certificate validation will cause the client to freak out and never attempt to authenticate (since validation will, correctly, fail.)

  2. Oh please by Anonymous Coward · · Score: 5, Informative

    Every phone which implements CHAPv2 is vulnerable, because that's a broken algorithm. You can't patch it, because then it wouldn't be that algorithm anymore and stop working with other implementations of the algorithm. The right thing to do is to encapsulate it in a securely encrypted tunnel, but to have that, you have to check the certificates. If you don't secure the tunnel, an attacker can MITM you and crack the CHAPv2 inside. Not properly securing tunnels is a problem everywhere.

    1. Re:Oh please by tysonedwards · · Score: 4, Funny

      The fact that we have such lax tunnel security is a travesty.
      I propose that we immediately bring in the TSA to man the entrance to every tunnel, for our children!

      --
      Thirty four characters live here.
    2. Re:Oh please by jrumney · · Score: 4, Informative

      Every phone which implements CHAPv2 is vulnerable

      Other phones don't automatically give out your corporate domain login details using it though.

    3. Re:Oh please by 93+Escort+Wagon · · Score: 4, Informative

      Well, to be fair to the blasters and lambasters:

      - This is a protocol developed by Microsoft, and it's fundamentally broken
      - Knowing it's fundamentally broken, Microsoft still included it on their phone and enabled its use by default

      --
      #DeleteChrome
  3. Rather than issue a security advisory.. by Trailer+Trash · · Score: 4, Funny

    They ought to just call the guy who bought one and explain it to him.

    --
    Do you have ESP?
  4. Re:Can't you protect it with HOST files? by Anonymous Coward · · Score: 5, Interesting
    Robert Scoble is a former technology evangelist at Microsoft who decided to leave the company in June 2006 to become the vice president of Podtech.net. At that time, it was believed that Scoble had resigned because he was looking for a higher salary elsewhere.

    Innovation is the key, he said, pointing out that Microsoft had completely failed to get itself noticed in the tablet and smartphone markets.

    "Since I've left [Microsoft], what have they done that's interesting? Microsoft [Xbox] Kinect is the only thing I can think of and for a company that has 90,000 employees, to have only one product that you can point to that's innovative, that's pretty disappointing I think,” he said according to The Age.

    "Compare that to Google, which is showing you self-driving cars, Google Glass and a phone that you can talk to, the Moto X, and on and on — automatic picture improvements on Google+ — It's a much more innovative company that is driving the future harder and faster."

    One of the reasons why Microsoft fails to innovate right now is the current leadership, Scoble explained, revealing that Steve Ballmer is actually trying to make more money by rolling out innovative technologies.

    “I just don't believe Steve Ballmer really likes the future. When I interviewed [him] he said innovation is something cool that makes a lot of money. And that's absolutely not true. [Google Glass] might never make a dollar but it's new, it's interesting [and] it causes conversations. If you're an innovator, you push the future ahead. You don't care whether it necessarily makes a dollar,” he continued.

    http://news.softpedia.com/news/Former-Employee-Says-That-Microsoft-Is-Not-Longer-Cool-Blames-Steve-Ballmer-373770.shtml

  5. Re:oops... by binarylarry · · Score: 4, Funny

    Nah, whats the fun in hacking all 5 people who've bought Windows Phones?

    Apple Newton probably has bigger marketshare right now.

    --
    Mod me down, my New Earth Global Warmingist friends!
  6. Where does it say that it cannot be patched? by Fosterocalypse · · Score: 4, Informative

    You put it in quotes so I assumed you were quoting one of the two links you put in but neither state that. I know there's a lot of anti-MS people here but stick to the facts please. I understand that the current solution they offer is not a patch but something that the user needs to do manually, but seriously when you quote something use what they actually said. "Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information." - from: http://technet.microsoft.com/en-us/security/advisory/2876146

  7. This is a willfull and intentional act by WaffleMonster · · Score: 4, Interesting

    I personally contacted MS security people about this years ago before WP8 was released and they told me they would look into this and get back to me guess what I tried to follow up and they never did.

    To be very clear the problem is complete lack of necessary levers and knobs to validate the TLS certificate and common name of certificate in WP7-8. Without these options TLS is trivially MITMd this leaves only MS-CHAPv2 which has known to have been completely and publically broke for years.

    What is worse they don't even try there is not even a leap of faith latch as there is in other mobile platforms whereby if the cert changes it at least tells you it is different... The system never warns you or anything.

    To be even more clear this is not a problem that Microsoft just stumbled on... They knew full goddamn well what the implications of leaving those levers and knobs out of WP7 were... They knew about them circa 2002-2003 when their wireless supplicant was released for XP. They just didn't give a shit.