TY - GEN
T1 - A practical investigation of identity theft vulnerabilities in eduroam
AU - Brenza, Sebastian
AU - Pawlowski, Andre
AU - Pöpper, Christina
PY - 2015/6/22
Y1 - 2015/6/22
N2 - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.
AB - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.
KW - EAP
KW - Eduroam authentication
KW - MS-CHAPv2
KW - Network security
KW - WPA-enterprise
UR - http://www.scopus.com/inward/record.url?scp=84962010730&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962010730&partnerID=8YFLogxK
U2 - 10.1145/2766498.2766512
DO - 10.1145/2766498.2766512
M3 - Conference contribution
AN - SCOPUS:84962010730
T3 - Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
BT - Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
PB - Association for Computing Machinery, Inc
T2 - 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
Y2 - 22 June 2015 through 26 June 2015
ER -