Multiple configuration vulnerabilities in a free Wi-Fi network used by several colleges can enable access to the usernames and passwords of students and teachers who connect to the system using Android and Windows devices, according to the findings by researchers.
WizCase researchers lead by researcher Ata Hakçl evaluated 3,100 Eduroam setups at universities throughout Europe and discovered that more than half of them have vulnerabilities that threat actors might exploit.
They noted that the risk of misconfiguration might spread to other companies throughout the world.
Eduroam offers free Wi-Fi access at participating institutions. It provides log-in credentials to students, researchers, and faculty members, allowing them to access the internet across many universities by utilizing credentials from their own university.
Researchers found vulnerabilities in the execution of the Extensible Authentication Protocol (EAP) used by Eduroam, which offers numerous levels of authentication when individuals connect to the network. Some of these authentication steps are not implemented properly in some colleges, causing security flaws.
Researchers wrote in a report posted Wednesday, “Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk.”
“If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in the range of you.”
WizCase evaluated several configuration guidelines and built a test environment with multiple attack scenarios for the study. Overall, their analysis indicated that in the majority of institutions with misconfigured networks, threat actors may establish an “evil twin”, Eduroam network that a user would mistake for the actual network, especially on Android devices.
Referring to Eduroam's catalogue application that performs certificate checks, researchers stated, “This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT.”
Researchers emphasized that the issue is not due to any technical flaw in Eduroam's services or technology, but rather due to improper setup instructions provided by the institutions' own network administrators to those setting up access.
Moreover, while each institution supplies resources and personnel to assist Eduroam functioning, researchers discovered that there is no centralized management for the network – either as a whole or at each university where the system is in place. This signifies that a minor misconfiguration may make it a target for hackers.
Researchers narrowed down the issue further by dissecting the numerous consecutive steps of EAP authentication, discovering that inadequate implementation of the last level of this authentication, known as "Inner Authentication," is at the foundation of the problem.
Inner Authentication is accomplished in one of two methods in EAP.
One method is to utilize the Plain Authentication Protocol (PAP), which sends users' credentials to the authentication server in plaintext and relies on Outer Authentication to completely encrypt the traffic with a server certificate.
The alternative method utilizes Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), which understands that there may be errors in the “Outer Authentication stage, and transfers the password in a hashed, non-plaintext form.
Mismanaged Certificate Checks
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained.
Even an operating system that properly performs certificate checks can disclose data since many users do not understand what a certificate check implies and will permit the connection to proceed even if they get an alert concerning the certificate.
According to the researchers, this indicates that the problem can arise on Windows as well if a system is misconfigured. iOS devices are not vulnerable to the vulnerability since they do not enable connections to EAP networks without first installing the EAP configuration file, which ensures the validity of the server-side certificate.
As per the researchers, 2,100 of the 3,100 Eduroam participating university setups examined by WizCase are possibly impacted by the issue.
According to the firm, it may be prevented by returning to the second technique of Inner Authentication.
WizCase contacted Eduroam in December to share their results and received a response the same day.
In accordance with WizCase, Eduroam officials stated that they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy and leave their own users unprotected,” agreeing with researchers that this conduct is “unacceptable.” It is unknown whether Eduroam contacted its customers to alert them about the issue.
