MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched 146
Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."
Re:Can't you protect it with HOST files? (Score:5, Interesting)
Innovation is the key, he said, pointing out that Microsoft had completely failed to get itself noticed in the tablet and smartphone markets.
"Since I've left [Microsoft], what have they done that's interesting? Microsoft [Xbox] Kinect is the only thing I can think of and for a company that has 90,000 employees, to have only one product that you can point to that's innovative, that's pretty disappointing I think,” he said according to The Age.
"Compare that to Google, which is showing you self-driving cars, Google Glass and a phone that you can talk to, the Moto X, and on and on — automatic picture improvements on Google+ — It's a much more innovative company that is driving the future harder and faster."
One of the reasons why Microsoft fails to innovate right now is the current leadership, Scoble explained, revealing that Steve Ballmer is actually trying to make more money by rolling out innovative technologies.
“I just don't believe Steve Ballmer really likes the future. When I interviewed [him] he said innovation is something cool that makes a lot of money. And that's absolutely not true. [Google Glass] might never make a dollar but it's new, it's interesting [and] it causes conversations. If you're an innovator, you push the future ahead. You don't care whether it necessarily makes a dollar,” he continued.
http://news.softpedia.com/news/Former-Employee-Says-That-Microsoft-Is-Not-Longer-Cool-Blames-Steve-Ballmer-373770.shtml [softpedia.com]
How do you get on on the day it won't turn on? (Score:2, Interesting)
Re:Why can't it be patched? (Score:3, Interesting)
because the root certificate being installed is for the internal domain and Microsoft doesn't have that certificate.
please note: this is only for PEAP using domain credentials. not standard WPA2-PSK that just about everyone uses.
The scary thing (if i read this correctly) is that someone could theoretically sit outside a business where a lot of WP8 users are, listen for a while to snoop the wireless details (SSID, AP's mac, whatever they want) and then set up a fake hotspot in the parking lot. As phones leave the building's wifi perimeter, they will try to re-auth to the fake hotspot and give away their user's credentials. The user can then turn their wifi gear toward the building, and log in as an insider with probably tons-o-access to the internal network and the crown jewels.
Who cares if it's only a few businesses or that "most people" dont bother with it, the potential for targeted abuse is so huge that I don't see any sane enterprise keeping this turned on. They are better off just handing out "secret" WPA keys to their users than bothering with auth that basically ensures they are vulnerable.
This is a willfull and intentional act (Score:5, Interesting)
I personally contacted MS security people about this years ago before WP8 was released and they told me they would look into this and get back to me guess what I tried to follow up and they never did.
To be very clear the problem is complete lack of necessary levers and knobs to validate the TLS certificate and common name of certificate in WP7-8. Without these options TLS is trivially MITMd this leaves only MS-CHAPv2 which has known to have been completely and publically broke for years.
What is worse they don't even try there is not even a leap of faith latch as there is in other mobile platforms whereby if the cert changes it at least tells you it is different... The system never warns you or anything.
To be even more clear this is not a problem that Microsoft just stumbled on... They knew full goddamn well what the implications of leaving those levers and knobs out of WP7 were... They knew about them circa 2002-2003 when their wireless supplicant was released for XP. They just didn't give a shit.
Re:Why can't it be patched? (Score:3, Interesting)
Luckily, there's not such thing as a "business where a lot of WP8 users are", except maybe for Microsoft itself, but I wouldn't bet my life on it...
Re:Where does it say that it cannot be patched? (Score:4, Interesting)
I think technically the flaw cannot be patched, but the vulnerability can be mitigated. reading it, it seems to be an inherent problem with the algorithm.
This is not the case here. It is a flaw in the MS implementation of a technology rather than the technology itself. A flaw by the way does not exist in other versions in Microsofts own products if they are configured properly.
Presumably it is analogous to the DNS cache poisoning flaw that Dan Kaminsky discovered in 2008. DNS was patched to make it less vulnerable but the flaw existed in the protocol itself. There was no truly way to fix it without re-writing the protocol.
There was no way to fix SYN attacks against TCP without replacing it either...oh wait yes there was cookies were added to mitigate the problem and today are widely deployed. The same solution for DNS continues to sit on a shelf and collect dust for no sane reason.
http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 [ietf.org]
Replacing it with DNSSec was the recommended course of action.
April 1st must come late this year cuz DNSSec is glued on top of DNS and has all the same insane transport issues that we continue to allow DNS to have. Only now now with significantly higher computational cost and DDOS amplification factors which just might give SNMP with public community strings a run for its money.