Microsoft warns of a rogue Wi-Fi vulnerability on our Windows Phones

Microsoft has issued an advisory warning concerning a Windows Phone vulnerability when connecting to rogue Wi-Fi networks.

The issue at hand rests in a Wi-Fi authentication scheme (PEAP-MS-CHAPv2) which our Windows Phones use to access protected wireless networks. Cryptographic weaknesses in the technology can allow an attacker to recover a Windows Phone encrypted domain credentials (passwords) when it connects to a rogue access point.

For those who aren't up on their security, a rogue access point is a wireless access point that has been installed on a secure company network without authorization or has been created by a hacker to accommodate attacks.

Microsoft is not expected to issue an update to correct this issue but instead recommends users require a certificate to verify a wireless access point before starting the authentication process from our Windows Phones.

Microsoft has detailed instructions on how to require the certification in their advisory that entails, deleting the Wi-Fi network from your Windows Phone and then re-establish the network connection after receiving the root certificate from the network's Corporate IT.

Source: Microsoft (opens in new tab) via: ARS Technica (opens in new tab); Thanks, everyone, for the tip!

George is the Reviews Editor at Windows Central, concentrating on Windows 10 PC and Mobile apps. He's been a supporter of the platform since the days of Windows CE and uses his current Windows 10 Mobile phone daily to keep up with life and enjoy a game during down time.

  • No problem on my end. As a long time hacker/geek, I don't connect to wifi just because its there as a rule. But thanks for the heads up.
  • Same. Don't trust sources you don't know. 
  • the lamest excuse for security problems. just next with use brain.exe
  • The Wifi on WP8 is just a pain anyways.. really no problem with more problems adding on top :)
  • What pains do you have with the WiFi?
  • That is my question.
  • Hmm.. hidden ssid .. Automatic connection to same wifi name in other areas lika starbucks free wifi.. information about connection..wifi turn off not on after battery saver
  • So are my home and college WiFi safe to use? Cause those are the only ones I use for WiFi
  • Yes, they are fine
  • Home, yes. College? Maybe. If your College has a "hacking" club like mine does (which I'm a member of), you might not want to risk it. :P
  • I hope college networks are fine. My wife works at a university and its a live on campus position. So our internet is the college's network.
  • Depends. Do you have your own Router (that student's have to get for most dorms) or do you use the public WiFi? If you have your own Router and are connected to the internet from it, you should be fine.
  • In other countries there are college WiFi networks? Ah, I'm jealous :o
  • Well that's nice. They won't fix it, and all WE have to do is become IT specialists. FAIL!
  • It doesn't need "fixing" it does not affect 90% of users. Its only an issue for people using secure networks that are not currently using the proper authentification.
  • Oh whatever. If this was Apple, you all will be crying. It freaking needs fixing.
  • I think you need to reread the article. 
  • They won't fix on 7.8. Its a dead Os.
  • So what does this mean, exactly? To no longer use WiFi on the phone???
  • No, it means do nothing. This does not affect the normal user. Only secure business servers. If you work for somewhere with the type of network its talking about, then you would already be using the correct authentication
  • Thank you!
  • My understanding from the thread at ArsTechnica is that this affects users who connect to corporate WiFi networks that use PEAP-MS-CHAPv2
    The problem seems to be twofold:
    1. WP8 will try to connect to an access point that has the same name as one of your "known networks" so anyone could spoof your wifi and have your phone automatically try to connect. I haven't tested this but the other thread reports it is true.
    2. If your wifi is using PEAP-MS-CHAPv2 the default is your phone will not check for a server certificate and will send your domain credentials in a way the spoofed wifi network could read. The solution is to change the default setting to require checking for the server certificate.
    So the scenario would be:
    You normally connect to your corporate WiFi network that uses PEAP-MS-CHAPv2 and have it saved as a known network that is automatically connected when you are in range. Your corporate network is called "BigCoWiFi". You set up your wifi connection with the default settings. A bad guy sets up a wifi access point at your favorite lunch spot also called "BigCoWiFi" and your phone tries to connect automatically and sends your domain credentials across in a way the bad guy can read.
    I got this info from but people on that thread don't seem to be in agreement on all the specifics.
  • Thank you for the explanation!
  • ahhh.  Thank you.
  • This is off subject, but has anyone ever thought that MS might be planning on having full Instagram integration in WP8.1? Maybe, 8.1 will integrate Instagram in the same way Facebook is on our phones... This is a possibility❕
  • It is not a possibility.
  • Why?
  • Carry on now...
  • Rodneye's high again.
  • Lol!.. Again❔.. So, you're saying I came down at some point❔
  • For once, you may actually have something here. Instagram are backing a new third party app. That tells me that they are interested in wp. So they are either a) lazy. Or b) working with ms on something. And what a coup that would be. Even the verge would have to write that up as a win.
  • For once I may actually have something here... Lol❕.. Kellzea, like I always tell NIST... "You are getting on my last set of nerves"... :-)
  • I think I may see pigs fly before I see instagram show up in my WP accounts list.
  • It's amazing that some ducks can fly...
  • This guy is Nutz..
  • This dude has just won the most coveted "Joker of the Century" award!
  • What a idiot❕
  • Reading the article's comment section is so much fun though lol.
  • That's because of idiots like me.
  • ? Why are you even calling yourself idiot? Btw, did you post any comments in that Nokia Lumia 1020 article? Seeing quite a lot of WP supporters in the article makes me feel quite relieved hehe.
  • Lol❕❕.. Yeah, I slandered the journalist so bad, I'll probably get band from that site for life.. I mean,, I talked about his mother, blatantly cursed him out several times, and I was just plainly being a all out dick to this guy.. My language was COMPLETELY unacceptable❕.. I feel real good now.
  • OMG! I just got a light bulb in my head. I just realize that my Joker of the Century comment could be very easily understood as referring to you lol. In case there is misunderstanding, the "Joker of the Century" refers to that dumb Nokia Lumia 1020 reviewer. Please pardon my ignorance, Sir!
  • In other words, next time you're at at the local NoTell Motel with your little
    something-something on the side, don't use the motel's complimentary WiFi to check on whether your wife e-mailed you cause something's husband might hack in and end up  emailing your wife for you.
  • George, I think this article should have had a bit more detail so as to not spook the network un-initiated.
    As I understand the security bulletin, this is only a danger when you access SECURED (password-protected) networks. If a hacker is spoofing the network you normally access with secure credentials, you might be vulnerable. The work-around attached to the bulletin allows you to be sure that the password-protected network you are accessing is really the network you think it is before your credentials (passwords) get transmitted.
    THIS WILL NOT AFFECT PUBLICLY ACCESSIBLE WI-FI NETWORKS, at least as I understand it. Correct me if I am wrong.
  • Dont worry, the NSA doesn't need WiFi to hack you.
  • Right❕
  • It will take another 18months before they fix it though
  • Yeah try 10 years! RADUIS authentication (not wpa/wpa2) has has this vunerability since server 2003
  • "windows phone encrypted domain credentials"... How is this possible when windows phone doesn't even support a domain?
  • TRUE.
  • Theyre talking about RADIUS authentication, most normal ppl use wpa/wpa2 so it wont affect them
  • Well, this just sucks.  I got my Lumia specifically so I could connect at work.  I emailed IT about getting a certificate and of course they have no idea how to get it, let alone send it to me so I can connect.
  • Same situation here, my phone is close to useless at work
  • Thanks!
  • We need to be very clear that This issue ONLY affects you if you use RADIUS for authentication, secondly, this is nothing new, rogue ap's and RADIUS have always been vunerable, shame on you WPCentral "scaremongering"
  • Yes, I believe this must be clarified properly. This vulnerability involves corporate WIFI that uses domain credentials to authenticate, different from the authentications used in usual home and public networks. PEAP-MSCHAPv2 is the most commonly used authentication in corporate networks for wireless connection, and the proper implementation of this is to use "CA certificates" validation. Every BYOD is vulnerable to this, not just WP. iOS and Android device using PEAP-MSCHAPv2 without certifacate validation is also prone to this. Its just that MS is responsible enough to publish this warning.
  • Meh... when it comes to my phone I tend to use my 3G exclusively.  I tend to get a good connection where ever.