It is fair to say that most remote and traveling workers know that no public Wi-Fi hotspot is, or will ever be, deemed completely safe. But these days, that rings especially true for Windows Phone users when connecting to public wireless networks.
Earlier this month, Microsoft issued an advisory warning users that a critical flaw in Windows Phone 7.8 and 8 could leave users susceptible to password theft when connecting to rogue Wi-Fi networks.
Specifically, the flaw resides in a Wi-Fi authentication mechanism -- PEAP-MS-CHAPv2 - which enables Windows Phones to access protected wireless networks. However, the cryptographic vulnerability in question allows an attacker to glean Windows Phone login credentials when victims are connected to a rogue access point.
A rogue access point is a wireless access point that has been created by a hacker to field malicious attacks or otherwise installed on a legitimate network without the owner's authorization.
Once rogue hotspots are in effect, a potential hacker can garner encrypted domain credentials required for authentication on corporate networks, likely with the intention of obtaining illicit access to privileged network data.
Even still, a patch addressing the flaw won't be imminent. Rather, the Redmond, Washington based software company recommended that businesses and users configure their devices to leverage a special root certificate that enables the handset to verify the security of any given wireless access point to which its connected before transmitting sensitive data. To that end, Microsoft outlined instructions on how to acquire the root certificate, as well as deleting the rogue Wi-Fi network from the Windows Phone and re-establishing a clean network connection.
Indeed, users are largely on their own for this one. And as with similar vulnerabilities, the flaw comes with a set of serious ramifications regarding data loss. To that end, an attacker could impersonate a Wi-Fi hotspot and cause targeted devices to automatically attempt to authenticate the network. That, in turn would enable the attacker to infiltrate the victim's own domain credential, Microsoft warned.
"Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," Microsoft said in its advisory.
That said, it doesn't yet appear that any such exploit has occurred. But among other things, the most recent flaw illuminates persistent security holes in public wireless networks, and underscores that users should continue to be wary when sending personal or sensitive information over Wi-Fi.
And while the Windows Phone vulnerability is currently the most visible, as previously mentioned, no public network is immune from attack. An unencrypted network leaves all transmitted data exposed for the world to see. What's more, unencrypted networks pave the way for hackers to hijack a users' session and gain access to their personal information and financial accounts, or visit a malicious Web site.
That's not to say that users should avoid public Wi-Fi, which in light of an increasingly remote and traveling workforce, is now nearing closer to impossible.
But there are a few ways to keep data transmitted over these networks protected from the prying eyes of miscreants. One of the safest bets is to leverage a robust encryption protocol, such as WPA or WPA2, that enable session isolation preventing uninvited individuals from sniffing out your private communications.
If encrypted wireless isn't available, users should try to log onto the network via a Virtual Private Network (VPN) connection. While these are typically offered via a company or organization, users can also implement personal VPNs, usually at a minimal cost.
Finally, if neither encryption or VPN is a viable option, users should always apply best security practices, such as maintaining antivirus and a personal firewall, hiding folders containing sensitive data and opting not to save and store passwords on the account site. In addition, users should increasingly rely on HTTPS and SSL protocols to boost security when accessing Web sites. And finally, it's smart to keep settings on "Public Network" when prompted to enter network location -- which among other things, will block file and printer sharing that represent popular threat vectors for hackers.