back to article Windows Phones BLAB passwords to hackers, thanks to weak crypto

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users' passwords. Miscreants who set up rogue hotspots can grab from devices employees' encrypted domain credentials, needed to authenticate with corporate systems and access …

COMMENTS

This topic is closed for new posts.
Silver badge
FAIL

Microsoft

How should we fix a poorly implemented security feature? Add another feature on top and hope it works of course.

10
1
Anonymous Coward

Re: Microsoft

The issue is with the PEAP-MS-CHAPv2 protocol - not any hole in windows Phone OS itself - which remains uncracked - unlike BB10 / Android / IOS.

The certificate validation feature to fix this already exists in the OS and isn't being added - it's now a requirement for secure access rather than previously just recommended....

5
12
Anonymous Coward

Re: Microsoft

"The issue is with the PEAP-MS-CHAPv2 protocol - not any hole in windows Phone"

So it's just a Microsoft failing rather than a Windows phone fail - vive la difference

13
6
Anonymous Coward

Re: Microsoft

See what you mean, but the protocol is behaving as designed. e.g. This isn't a buffer overflow or similar type coding error....This is more a case of technology has moved on and the protocol is now too weak to use without specific mitigating controls in place...

7
0
Silver badge

Re: Microsoft

My my the AC turfers/fanbois sure were all over this quick. Something tells me the only reason WP is "uncracked" is the market share. If they do get over that double digit world wide market share hump we will start seeing more stories like this.

3
0
Gold badge
WTF?

Re: Microsoft

"See what you mean, but the protocol is behaving as designed. e.g. This isn't a buffer overflow or similar type coding error....This is more a case of technology has moved on and the protocol is now too weak to use without specific mitigating controls in place..."

When was Windows 8 released again?

3
0
Bronze badge

Re: Microsoft

"When was Windows 8 released again?"

It hasn't yet. Soon as it does, someone will own one and crack it.

0
0
Bronze badge

Re: Microsoft

"The certificate validation feature to fix this already exists in the OS and isn't being added - it's now a requirement for secure access rather than previously just recommended...."

As if a man in the middle attack, as is what is currently being done, can't be enhanced to validate a certificate from the corporate server.

Nope, that is impossible.

As impossible as walking on the moon, but less technologically challenging.

0
0
Bronze badge

Re: Microsoft

"My my the AC turfers/fanbois sure were all over this quick. Something tells me the only reason WP is "uncracked" is the market share."

Not at all. Microsoft's shitty security remains my bread and butter securing it.

That said, I recall another non-bug, one that Microsoft threatened legal action against anyone who claimed it existed.

Until they couldn't keep their own servers up for more than 15 seconds, the ping of death.

Still, I'd rather teach a user how to navigate a DOS tree than deal with CP/M with end users.

1
0
FAIL

Re: Microsoft

Who needs to crack the Windows Phone OS when they have such holes in their networking protocols?!

2
0

Re: Microsoft

Just what I was thinking, asdf. They're protected by the same reason Apple remained largely virus/attack free for so long: lack of malicious interest...

1
0
Anonymous Coward

This is the same on ANY wireless device if you don't check RADIUS cert and CA

it doesn't help that MS decided that the RADIUS cert needs to have CRCDP present. .. why? How is my device going to check that resource when doing 802.1X?

0
1
h3
Bronze badge

Not a problem unless you were too lazy to use EAP-TLS. (Or something else that is decent and uses client certificates anyway).

3
0
This topic is closed for new posts.

Forums