You should always practice caution when connection to an unsecured Wi-Fi hotspot, but Windows Phone
users need to be extra careful due to a newly discovered vulnerability in Microsoft's mobile operating system. If a Windows Phone user connects to the 'wrong' hotspot, a hacker
could sniff out and steal their domain username and password.
"Microsoft is aware of a public report that describes a known weakness in the Wi-Fi authentication protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 wireless authentication. In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device," Microsoft explained in a security advisory.
could use the vulnerability to pose as a known Wi-Fi access point, thereby causing a Windows Phone 7.8 or Windows Phone 8 device to automatically attempt to authenticate with it, in essence handing over encrypted domain credentials to the attackers.'
"An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," Microsoft said.
The good news? Microsoft isn't aware of any active attacks exploiting this specific vulnerability, though that's not to say it won't ever happen. To play it safe, Microsoft's advisory lists a handful of suggested actions to secure your Windows Phone device from this exploit.