Nokia 8 Sirocco phones: patch released for WPA/WPA2 Enterprise network vulnerability | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Nokia 8 Sirocco phones: patch released for WPA/WPA2 Enterprise network vulnerability

August 17, 2021 at 12:58

The vulnerability concerns Wi-Fi authentication in an enterprise network. With certain settings, the mobile phone transmits the username and password to the RADIUS authentication server in plaintext. A patch has been released to fix the vulnerability. Users can download and install the patch on their phones.

The vulnerability concerns MSCHAPv2 authentication with RADIUS servers when using the PEAP protocol in WPA/WPA2 Enterprise Wi-Fi networks.

Even though a phone has been configured to use the MSCHAPv2 challenge–response protocol, the vulnerability causes it to try to log into a RADIUS server with the unencrypted EAP-GTC protocol. If the RADIUS server has been configured to accept the protocol, the device will transmit the user’s credentials to the RADIUS server in plaintext. The vulnerability mainly concerns WPA/WPA2 Enterprise networks used in companies and organisations, including universities. Network administrators should check their server configurations and remind network users about updates.

The Nokia 8 Sirocco phone was released in 2018 and received its last official updates on 21 June 2021. However, HMD Global, the manufacturer of Nokia phones, decided still to fix this vulnerability. The patch was released on 13 July 2021.

The NCSC-FI informed HMD Global about the vulnerability. We would like to extend a separate thank you to Karri Huhtanen who originally discovered and reported the vulnerability.

Target of vulnerability

Nokia 8 Sirocco mobile phones

What is this about?

Install the security update 00WW_5_14M (released 13 July 2021) from your phone’s update menu.

Nokia Smartphone Security Maintenance Release Summary

Mobile communications systems

In addition to portable terminal devices, such as telephones and data traffic cards, also mobile network devices are categorised into mobile communications systems.

No user interaction required

An attack that is performed without actions from the user is directly targeted at the vulnerability without any actions required from the system user for the attack to be successful. For example, the user does not have to browse websites or start a computer program. The attack can be performed without the user's help.

Security bypass

Security bypass means that by exploiting a vulnerability, the protection intended for restricting the use of the system is bypassed, for example, by directing traffic pass the firewall to a protected network.

Obtaining of confidential information

Obtaining confidential information from the target system requires that the information content of the system, e.g. files saved on the hard disk, is accessible without a permission and can be forwarded.

Not known

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.