Friday12 August 2022

Rouge Access Points Can Be Used to Exploit Flaw In PEAP-MSCHAPv2 on Mobile Devices

Reading time is around minutes.

Microsoft has had its share of flaws to deal with over a wide range of products. So it is no surprise when we read that there is another “flaw” making the rounds that is related to an older flaw that someone exposed about a year ago. The first flaw was a laughable encryption scheme that was intended to protect the username and password when using PEAP-MSCHAPv2 authentication. In this flaw someone was able to quickly break the encryption and access the credentials used to log on. This flaw does require access to the device that the user was connecting to (RAIDUS server, Firewall, etc.) so it is a little harder to pull off. Now it looks like there is a further flaw that will remove the need to compromise other equipment.


The new “flaw” all revolves around the way that devices connect to wireless access points when you are using WPA2 Enterprise as your security type. WPA@ Enterprise requires the use of a RADIUS server as a go between to validate user credentials. These credentials are pulled from Windows Domain resources or from a local list (if you are not running Windows). In the Windows world the most common protocol used to pull domain information is PEAP-MSCHAPv2 (Protected Extensible Authentication Protocol-Microsoft Challenge and Handshake version 2). Administrators can control access to wireless networks using Active Directory rather than having to worry about WAP2 passwords or other information. You can also push our wireless configurations to laptops and certain mobile devices using group policy; it makes wireless administration very simple. All a user needs to do it type in their existing username and password and the WAP (Wireless Access Point) queries the RADIUS server to see if this user has access. The RAIDUS server talks to Active Directory and responds back to the WAP… simple right?
Now that we know that PEAP-MSCHAPv2 is vulnerable to attack and can expose a user’s credentials things are a little different. During the negotiation phase someone can skim user information off the top and have access into your network.

WAP2 Enterprise Options on A Note II

Sadly the issue gets worse, in most cases the setting to check the identity of the WAP is disabled (using a device certificate). There are multiple reasons why this is off, but the most common is that companies do not want to spend the time or money to install a valid certificate all of the wireless controllers in their area. There is also the problem of managing device names and identities which makes this something that a lot of companies will simply overlook. In a non-centralized wireless network you might have to install a certificate on each and every access point you have making the administrative overhead a nightmare.

However, all of this will change as Microsoft is now stating that leaving this unchecked allows someone to use a rouge access point to gather the information from PEAP-MSCHAPv2. Yup you read that right, someone can put a rouge WAP in or near your organization that mimics your corporate SSID and since mobile devices are designed to try to connect to known SSIDs automatically they will potentially attempt to connect to that rouge devices and login using WAP2-Enterprise. When that happens the malicious person can crack the weak encryption in PEAP-MSCHAPv2 and gain a valid user login to your domain. You will never know that it was compromised and if the credentials have enough privileges things can get really nasty. Now this is a common flaw across all operating systems and mobile devices. It is not just a Windows Phone issue, but it is certainly a Microsoft issue. The protocol that is allowing the easy access to user login information is a Microsoft one.

Microsoft has not mentioned a time frame for a fix or update to PEAP-MSCHAPv2 and is now recommending that everyone enable certificate checking to mitigate this problem. You should also make sure that your administration wireless network is not broadcasting its SSID. Hiding your corporate SSID is an easy fix, but installing valid device certificates on a large number of WAPs is something that will cost quite a bit of time and money for something that Microsoft should fix anyway and we have not even gotten into changes in the way certificates for devices are issued…

Tell us what you think about this in our Forum


Last modified on Tuesday, 06 August 2013 14:19

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

From The Blog