A practical investigation of identity theft vulnerabilities in eduroam

Sebastian Brenza, Andre Pawlowski, Christina Poepper

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

Original languageEnglish (US)
Title of host publicationProceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
PublisherAssociation for Computing Machinery, Inc
ISBN (Electronic)9781450336239
DOIs
StatePublished - Jun 22 2015
Event8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015 - New York, United States
Duration: Jun 22 2015Jun 26 2015

Other

Other8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015
CountryUnited States
CityNew York
Period6/22/156/26/15

Fingerprint

Authentication
Servers
Internet

Keywords

  • EAP
  • Eduroam authentication
  • MS-CHAPv2
  • Network security
  • WPA-enterprise

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Brenza, S., Pawlowski, A., & Poepper, C. (2015). A practical investigation of identity theft vulnerabilities in eduroam. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015 [a14] Association for Computing Machinery, Inc. https://doi.org/10.1145/2766498.2766512

A practical investigation of identity theft vulnerabilities in eduroam. / Brenza, Sebastian; Pawlowski, Andre; Poepper, Christina.

Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc, 2015. a14.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Brenza, S, Pawlowski, A & Poepper, C 2015, A practical investigation of identity theft vulnerabilities in eduroam. in Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015., a14, Association for Computing Machinery, Inc, 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015, New York, United States, 6/22/15. https://doi.org/10.1145/2766498.2766512
Brenza S, Pawlowski A, Poepper C. A practical investigation of identity theft vulnerabilities in eduroam. In Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc. 2015. a14 https://doi.org/10.1145/2766498.2766512
Brenza, Sebastian ; Pawlowski, Andre ; Poepper, Christina. / A practical investigation of identity theft vulnerabilities in eduroam. Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015. Association for Computing Machinery, Inc, 2015.
@inproceedings{15a47a314d034ea4a93519695001f074,
title = "A practical investigation of identity theft vulnerabilities in eduroam",
abstract = "Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.",
keywords = "EAP, Eduroam authentication, MS-CHAPv2, Network security, WPA-enterprise",
author = "Sebastian Brenza and Andre Pawlowski and Christina Poepper",
year = "2015",
month = "6",
day = "22",
doi = "10.1145/2766498.2766512",
language = "English (US)",
booktitle = "Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - A practical investigation of identity theft vulnerabilities in eduroam

AU - Brenza, Sebastian

AU - Pawlowski, Andre

AU - Poepper, Christina

PY - 2015/6/22

Y1 - 2015/6/22

N2 - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

AB - Eduroam offers secure access to the Internet at participating institutions, using authentication via IEEE 802.1X and secure forwarding of authentication data to the authentication server of the user's institution. Due to erroneous configuration manuals and a lack of knowledge on the user side, though, a big share of client devices lack the required root CA certificate to authenticate the Eduroam network, yet still being able to access the network. Moreover, deficient software implementations on client devices prevent users from the secure execution of the authentication process. In this paper, we present an attack that exploits this fact and uses the default behavior of wireless devices in order to capture authentication data. This MITM attack is performed in real-time. It is achieved using a modified version of hostapd, which exploits a compatibility setting of the widely used supplicant software wpa supplicant. It enables an attacker to authenticate users in EAP-TTLS/PAP and in EAP-TTLS/MS-CHAPv2 without the necessity of cracking the user password hash on the fly and thus without inducing suspicious delays. In a practical study with several hundred users we could show that more than half of the tested devices were vulnerable to the attack. Based on the results of the study, we propose countermeasures to prevent the attack and minimize the amount of vulnerable devices.

KW - EAP

KW - Eduroam authentication

KW - MS-CHAPv2

KW - Network security

KW - WPA-enterprise

UR - http://www.scopus.com/inward/record.url?scp=84962010730&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84962010730&partnerID=8YFLogxK

U2 - 10.1145/2766498.2766512

DO - 10.1145/2766498.2766512

M3 - Conference contribution

AN - SCOPUS:84962010730

BT - Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015

PB - Association for Computing Machinery, Inc

ER -