PEAP-MSCHAPv2 Vulnerability Allows For Credential Theft

Key Points
  • PEAP-MSCHAPv2 is a vulnerable authentication protocol.

In 2013, Microsoft released a report of a known security vulnerability present within Wi-Fi authentication. The 802.1x authentication protocol known as PEAP-MSCHAPv2, a widely supported standard, can be exploited to gain user login information from devices which are not properly configured to connect only to trusted RADIUS servers.

However, organizations can avoid this issue by configuring devices for Server Certificate Validation or replacing the PEAP-MSCHAPv2 protocol with EAP-TLS. Read this case study of one of our Fortune 100 customers moving their network to EAP-TLS authentication with digital certificates.

PEAP-MSCHAPv2 Device Misconfiguration is an Enormous Security Liability

Here’s a potential vulnerable scenario: An attacker can imitate a trusted access point from their own laptop, for instance on a college campus. A student whose device has not been configured properly for the school’s legitimate SSID will connect to the nearby imitation SSID automatically, and will attempt to auto-authenticate with the attacker’s spoofed network. In doing so it sends encrypted packets containing the user’s login information to the attacker’s computer. A well-documented weakness in PEAP-MSCHAPv2’s encryption method allows the attacker to easily decrypt the packets, thereby allowing the attacker to easily acquire the user’s login credentials.

Vulnerabilities like the one described above are exactly why industry titans like Microsoft have recommended moving away from PEAP-MSCHAPv2. Microsoft’s official recommendation is as follows: “If you are using Wi-Fi and VPN endpoints that are based on MSCHAPv2, they are subject to …attacks,  Microsoft recommends that organizations move to certificate-based authentication… like EAP-TLS.”

RADIUS Server Certificate Validation

Microsoft provides recommendations to help users secure their devices, and a vital part of the defense relies on the use of server certificate validation. This protocol is active when a user attempts to connect to the network. The authenticating RADIUS server has an identified and trusted certificate issued by a public Certificate Authority or an IT department in the form of a private certificate. Server certificate validation prevents over-the-air credential theft by verifying the RADIUS server possesses the trusted certificate, which confirms that the network is legitimate and will connect the device to the network.

Failure to verify the server certificate leaves users and devices susceptible to Active Directory or LDAP credential theft via a simple Man-in-the-middle-attack. Detailed explanation from Vivek Ramachandran, a world-renowned security researcher, can be seen here:

Enforce Server Certificate Validation on Every Device

The process to set up server certificate validation is device-specific and difficult for users to correctly configure on their own. Manual configuration of personal devices presents serious security risks because users tend to skip server certificate validation and accidentally trust rogue networks.

Auto-configuration tools such as JoinNow automate this process for the user and make certain that the device is configured correctly for the secure network. JoinNow correctly configures the device to check for specified certificates to verify that the device is connected to the trusted network. Certificate prompts are imperative in today’s environments when considering how often they are ignored by users, confusing to interpret, and cause serious security issues and help desk tickets if not configured properly.

Use EAP-TLS to Factor Device Trust into your Network Security

We’ve explained already why organizations should move away from vulnerable PEAP-MSCHAPv2. One question remains to be answered, though: what’s the alternative?

The answer, as we touched on briefly with Microsoft’s quote, is the EAP-TLS authentication protocol. This protocol allows organizations to replace credentials with certificates for enhanced, passwordless network security. With EAP-TLS, the risk of over-the-air credential theft is null because no credentials are sent over-the-air. Certificates are sent through the encrypted EAP tunnel and cannot be intercepted by a MITM attack. Additionally, certificates are tied to the identity of the user and device and cannot be stolen or removed from the device. With EAP-TLS you can factor in device trust, allowing only trusted managed devices that you know have up-to-date security policies enforced on to the network.

EAP-TLS also provides a far superior end-user experience, primarily by eliminating the burdens associated with using passwords. You can eliminate password change policies that reset all network devices and require users to reconnect their many devices. What’s more, users won’t need to come up with new and complex passwords for every single resource they need to log into.

In contrast, certificates are preset to expire after a chosen interval. This timeframe can be as long or short as the organization desires. Devices equipped with certificates also authenticate and connect to the network faster because there are significantly fewer steps to authenticate a certificate compared to credentials.

Replacing PEAP-MSCHAPv2 with EAP-TLS is Simple with SecureW2

Continuing to use credentials is a huge risk; all it takes is one stolen credential for a hacker to slip into your network. A 2019 Google survey showed that the majority of people reuse their passwords – this means that capturing one set of credentials can be like snatching a master key that bad actors can use to access additional resources and wreak havoc on an organization-wide scale.

This is why an increasing number of organizations are moving to certificate-based authentication. Some organizations opt to ease the transition to certificate authentication by implementing SecureW2’s simultaneous support for PEAP and EAP-TLS. This top university chose to enroll all incoming students for certificate-based authentication while phasing out credentials in stages with existing users.

The JoinNow Suite, in addition to many other useful features, can properly configure security essentials, such as server certificate validation, on a wide range of BYOD platforms (Windows, Mac, iOS, Android, Linux, Kindle Fire, and more). Rather than going through a risky and difficult process of manually configuring their personal devices, users can rest assured that they are onboarding in the easiest and most secure manner possible. It also provides a world-class PKI, allowing organizations to easily deploy EAP-TLS certificate-based authentication on their campus.

SecureW2 provides affordable options for protection from credential theft. Inquire about pricing today!

Key Takeaways:
  • EAP-TLS is a secure alternative to PEAP-MSCHAPv2 that empowers networks with digital certificates.
  • SecureW2 has everything you need to move to certificate-based authentication.
Learn about this author

Adam Andrews

Adam Andrews

PEAP-MSCHAPv2 Vulnerability Allows For Credential Theft