The pitfalls of eduroam
Watch out for password theft
by Raffaela Römer
December 21, 2015
The idea behind eduroam (short for education roaming) is simple, yet brilliant: students or members of staff who spend a certain period of time at another university, are able to use their home university’s login data to log into the Wi-Fi network of the university they are visiting, for example to attend or hold lectures; this saves time and effort, because there’s no need to apply for guest access. Today, almost all European and an increasing number of non-European countries use eduroam and more and more universities in the respective countries join that research network.
But any new technology will sooner or later attract hackers. eduroam is no exception. Prof Dr Christina Pöpper and her former Master’s thesis student Sebastian Brenza from the workgroup Information Security have looked into the problem and have found out that in 2014 the login data and password on more than 50 per cent of the 500 tested user devices were not theft-proof. “If an attacker reads those data, he will gain access to many university services, including the user’s email account,” says Christina Pöpper, who has been heading the workgroup since 2013.
Fig. 1© Roberto Schirdewahn
Together with her students, Junior Prof Christina Pöpper has called attention to eduroam security gaps at RUB.
In order to find out what kind of means hackers can currently use when it comes to eduroam, she and her student assumed the role of the attacker. To this end, they set up a fake access point and simulated an eduroam. “Access points are the small transceivers that hang on the walls all across the university. They transmit an eduroam signal, with which Internet-enabled devices want to connect. Once the user enters his login and password, different authentication processes are run. They verify if the data are valid. These authentications are performed at the home university, because that is where the user is registered,” explains Pöpper.
In order to set up a fake access point, it is not even necessary to mount a Wi-Fi transceiver to the wall. A standard laptop and a small radio antenna suffice fully and don’t attract any attention. Thus equipped, the two security experts hosted an action day in the RUB Mensa last summer, organised by the RUB computer centre. 350 people came and brought 500 Smartphones and laptops in total. With the aid of software provided by Christina Pöpper and Sebastian Brenza, employees of the computer centre checked the individual Wi-Fi configurations and noticed that they were faulty in many instances and didn’t constitute an obstacle for potential attackers. Apple devices and Android Smartphones and tablets were equally affected. “The eduroam system is well thought-out,” says Christina Pöpper. “However, it is based on the idea that all relevant installations are carried out on the users’ devices.” What kind of installations and how to run them is explained on the computer centre web pages. But why have so many visitors to the action day made so many mistakes? Partly, this was due to the fact that the configuration instructions provided on the computer centre pages were incomplete. Other users have not downloaded the certificates at all. The staff at the computer centre were very grateful for the hint and corrected the configuration instructions straightaway. The devices themselves had vulnerabilities too. Sebastian Brenza, who discovered them together with PhD student Andre Pawlowski, contacted the manufacturers and notified them of the security gaps.
Despite those measures being taken, it has not yet been possible to solve the problem of insecure eduroam access: as part of a Bachelor’s thesis in the work group Information Security, renewed evaluations were carried out in September 2015. It emerged that almost half of the 1,275 tested devices were vulnerable to attacks – accordingly, the results were similar to those in the previous year. Asked for the causes, Christina Pöpper replies: “The vulnerabilities of the devices have largely remained the same. It takes time for new versions of the operating systems or patches to spread among the users. Moreover, we cannot rule out that a percentage of the users never realised that the computer centre has fixed the configuration instructions on its pages.”
The question whether any real attacks have taken place at some point and resulted in theft of password and login cannot be definitely answered, according to Christina Pöpper. Some evidence points in that direction: “Such attacks can only be identified in the moment when they are happening. Still, a while ago there was a number of incidents when passwords got cracked. An attack via eduroam might have been the cause.”
Safe surfing with eduroam
Apple users should use the preconfigured Wi-Fi profiles provided by their home university, if possible. Here, all the user has to do is enter their login and password, and their device will be configured correctly.
Users of non-Apple devices should follow the configuration instructions provided by their home university. It is important to note that the instructions include the configuration of a certificate. If this is not the case, the configuration instructions are faulty and users should contact the university’s computer centre.