Nokia 8 Sirocco phones: patch released for WPA/WPA2 Enterprise network vulnerability
Vulnerability23/2021
The vulnerability concerns Wi-Fi authentication in an enterprise network. With certain settings, the mobile phone transmits the username and password to the RADIUS authentication server in plaintext. A patch has been released to fix the vulnerability. Users can download and install the patch on their phones.
The vulnerability concerns MSCHAPv2 authentication with RADIUS servers when using the PEAP protocol in WPA/WPA2 Enterprise Wi-Fi networks.
Even though a phone has been configured to use the MSCHAPv2 challenge–response protocol, the vulnerability causes it to try to log into a RADIUS server with the unencrypted EAP-GTC protocol. If the RADIUS server has been configured to accept the protocol, the device will transmit the user’s credentials to the RADIUS server in plaintext. The vulnerability mainly concerns WPA/WPA2 Enterprise networks used in companies and organisations, including universities. Network administrators should check their server configurations and remind network users about updates.
The Nokia 8 Sirocco phone was released in 2018 and received its last official updates on 21 June 2021. However, HMD Global, the manufacturer of Nokia phones, decided still to fix this vulnerability. The patch was released on 13 July 2021.
The NCSC-FI informed HMD Global about the vulnerability. We would like to extend a separate thank you to Karri Huhtanen who originally discovered and reported the vulnerability.
Target
- Mobile communications systems
Attack vector
- No user interaction required
Impact
- Security bypass
- Obtaining of confidential information
Exploit seen live
- Not known
Remediation
- Software update patch
- Restriction of the problem
Subject of vulnerability
Nokia 8 Sirocco mobile phones
What is it about?
Install the security update 00WW_5_14M (released 13 July 2021) from your phone’s update menu.