A practical investigation of identity theft vulnerabilities in eduroam

Sebastian Brenza, Andre Pawlowski, Christina Poepper

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
    PublisherAssociation for Computing Machinery, Inc
    ISBN (Electronic)9781450336239
    DOIs
    StatePublished - Jun 22 2015
    Event8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015 - New York, United States
    Duration: Jun 22 2015Jun 26 2015

    Other

    Other8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
    CountryUnited States
    CityNew York
    Period6/22/156/26/15

    Fingerprint

    Authentication
    Servers
    Internet

    Keywords

    • EAP
    • Eduroam authentication
    • MS-CHAPv2
    • Network security
    • WPA-enterprise

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Cite this

    Brenza, S., Pawlowski, A., & Poepper, C. (2015). A practical investigation of identity theft vulnerabilities in eduroam. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015 [a14] Association for Computing Machinery, Inc. https://doi.org/10.1145/2766498.2766512

    A practical investigation of identity theft vulnerabilities in eduroam. / Brenza, Sebastian; Pawlowski, Andre; Poepper, Christina.

    Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc, 2015. a14.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Brenza, S, Pawlowski, A & Poepper, C 2015, A practical investigation of identity theft vulnerabilities in eduroam. in Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015., a14, Association for Computing Machinery, Inc, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015, New York, United States, 6/22/15. https://doi.org/10.1145/2766498.2766512
    Brenza S, Pawlowski A, Poepper C. A practical investigation of identity theft vulnerabilities in eduroam. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc. 2015. a14 https://doi.org/10.1145/2766498.2766512
    Brenza, Sebastian ; Pawlowski, Andre ; Poepper, Christina. / A practical investigation of identity theft vulnerabilities in eduroam. Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc, 2015.
    @inproceedings{15a47a314d034ea4a93519695001f074,
    title = "A practical investigation of identity theft vulnerabilities in eduroam",
    abstract = "Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.",
    keywords = "EAP, Eduroam authentication, MS-CHAPv2, Network security, WPA-enterprise",
    author = "Sebastian Brenza and Andre Pawlowski and Christina Poepper",
    year = "2015",
    month = "6",
    day = "22",
    doi = "10.1145/2766498.2766512",
    language = "English (US)",
    booktitle = "Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015",
    publisher = "Association for Computing Machinery, Inc",

    }

    TY - GEN

    T1 - A practical investigation of identity theft vulnerabilities in eduroam

    AU - Brenza, Sebastian

    AU - Pawlowski, Andre

    AU - Poepper, Christina

    PY - 2015/6/22

    Y1 - 2015/6/22

    N2 - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

    AB - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

    KW - EAP

    KW - Eduroam authentication

    KW - MS-CHAPv2

    KW - Network security

    KW - WPA-enterprise

    UR - http://www.scopus.com/inward/record.url?scp=84962010730&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84962010730&partnerID=8YFLogxK

    U2 - 10.1145/2766498.2766512

    DO - 10.1145/2766498.2766512

    M3 - Conference contribution

    BT - Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015

    PB - Association for Computing Machinery, Inc

    ER -