Microsoft has warned IT personnel to tighten up their WiFi networks after discovering that a security vulnerability in Windows Phones can leak users’ passwords.
Rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.
“The attacker could take any action that the user could take on that network resource,” Microsoft warned.
Microsoft has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks. This would ensure that the system authenticates the network before sensitive data can be transferred over the network.
Microsoft has no plans to release a fix for the issue.
The software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”