Multiple certificate misconfiguration flaws in a free Wi-Fi network used by students and faculty from various universities can lead to unauthorized access to access to usernames and passwords. It’s only the latest in a chain of large-scale credential data breaches affecting organizations across the world.
The service in question is eduroam, an international Wi-Fi internet access roaming service for users in research, higher education and further education. It provides simple, easy, secure connectivity from thousands of hotspots across more than 100 countries. By using login credentials obtained from their own university’s network, they can get internet access from any participating institution.
However, multiple configuration flaws discovered in this free Wi-Fi network can lead to stolen credentials of users who connect to the system from Android and Windows devices, researchers from WizCase have found.
Specifically, these configuration missteps were detected concerning the Extensible Authentication Protocol (EAP) which implements various stages of authentication for users connecting to the network. The researchers found that many organizations were not correctly configuring some of these authentication stages, leading to the potential security weaknesses.
So, instead of being an intrinsic flaw in the security of the eduroam technology, the vulnerability arises from a lack of proper configuration by the organizations who utilize this service. This is nothing new, as misconfiguration is one of the leading causes of cloud vulnerabilities.
The research team, led by Atal Hakçıl mostly looked at universities when carrying out their research. However, any organization using eduroam may be exposed to the same vulnerabilities.
For their studies, they reviewed the configurations of roughly 3,1000 institutions across Europe. Shockingly, they found that more than half of configurations contained some of these configuration errors, leaving them vulnerable to exploitation by threat actors.
Anyone using a misconfigured network would be vulnerable to exploitation. As the researchers put it: “Any students or faculty members using eduroam or similar EAP based WiFi networks in their faculties with the wrong configuration are at risk.”
The flaw would allow hackers to capture your plaintext username and password by only being within 20 meters or so from you while you’re connected to the network.
During their research, they showed it’s possible to set up an “evil twin” eduroam network that would be indistinguishable from the real one on certain mobile devices, i.e. Android and Windows. Essentially, this would result in the devices freely giving up their credentials as they try to connect to the impostor network, especially if users do not use eduroamCAT.
On the other hand, iOS devices do not allow EAP connections without installing the EAP configuration file. This file checks the validity of the server side certificate, rendering iOS devices safe from this particular vulnerability.
Windows and iOS devices would provide a security warning that the network certificate is invalid. However, this warning was rendered useless in many circumstances because many universities’ own certificates are invalid, leading them to instruct users to ignore this warning.
One of the reasons this flaw is so concerning is because students and faculty often reuse the same credentials for multiple services, such as email, student portal logins, etc. Victims may also be on the receiving end of phishing scams, malware, account takeover or impersonation, and framing or espionage.
WisCase have disclosed their findings to eduroam in late 2020, receiving the reply: “Thank you for your additional comments. We are indeed occasionally made aware of eduroam Identity Providers who do not follow the requirements of the eduroam policy, and leave their own users unprotected. We are absolutely in line with your thinking that this is unacceptable behaviour on their end.”
However, to date, it’s still not clear which steps, if any, have been taken to address this issue. For now, the best advice organizations can follow is to take responsibility for securely configuring certificate policies for their own eduroam network’s.