Advisory FAQ

What is the scope of the advisory? The purpose of this advisory is to notify customers that Microsoft is aware of a public report that describes a known weakness regarding the Wi-Fi authentication protocol known as PEAP-MSCHAPv2. This issue affects Windows Phone devices. This issue affects the device operating systems that are listed in the Affected Software section.

Is this a security vulnerability that requires Microsoft to issue a security update? No, this is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol and is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices.

What might an attacker use the issue to do? In most scenarios, an attacker who successfully exploited this issue could gain information disclosure of a victim's domain credentials from the targeted device. An attacker could re-use a victim's domain credentials to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

How could an attacker exploit the issue? An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim's encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials.

What is PEAP-MS-CHAPv2? PEAP-MS-CHAPv2 is a wireless authentication protocol used to authenticate a user to an access point with the intention of ensuring only authorized devices can connect to a wireless network. PEAP-MS-CHAPv2 is commonly used with WPA2 wireless protection protocol.

What is WPA2? Wi-Fi Protected Access II (WPA2), IEEE 802.11i, is a security protocol used to ensure the confidentiality of wireless network communication and is the successor of WPA. Top of section Suggested Actions

To help protect against exploitation of the issue described in this advisory, apply one of the following suggested actions: Require a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices

A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your companys network before starting an authentication process. This can be done by validating a certificate that's on your companys server. Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.

Issuing the certificate:

Corporate IT issues the root certificate that can be used to validate the Wireless access point. The certificate should have an easy to remember name; for instance, "Contoso Corporate Root Certificate". This certificate could have already been provisioned via the IT managed MDM (Mobile Device Management solution).

The certificate can be issued via an email message. The email message should also contain instructions from the IT department on how to turn on Wi-Fi certificate validation. For instance, the email message could contain the following steps.

Configuring a Windows Phone 8 to require a certificate verifying a wireless access point:

After receiving the root certificate from Corporate IT, each Windows Phone 8 user performs the following steps:

Delete the previously configured Wi-Fi connection. In Settings, Wi-Fi, tap Advanced Tap and hold over the selected Wi-Fi network, and choose delete

Create a new connection and enable server certificate validation. In Wi-Fi settings, tap on the enterprise Wi-Fi network access point which will open a Sign-in page Enter username and password Toggle "Validate Server Certificate" to On

Tap to choose a certificate In the list of certificates to select, pick the root certificate issued from Corporate IT (for example, "Contoso Corporate Root Certificate"), and tap Done

Turn off Wi-Fi in Windows Phone devices

In Settings, Wi-Fi, tap to toggle "Wi-Fi networking" to Off