News‎ > ‎

Survey on eduroam configuration (ARES paper)

posted Jun 11, 2018, 12:33 AM by Alberto Bartoli   [ updated Jun 11, 2018, 1:14 AM by Eric Medvet ]
In our recent paper Evil twins and WPA2 Enterprise: A coming security disaster? we documented the security risks associated with wi-fi devices that are not configured correctly. A pervasive example of those devices are smartphones. The security risks consist in the possibility of stealing the single sign on enterprise credentials by merely walking within 30 meters from the target: The attacker does not need to do any visible activity that might raise suspicions: a 50-euros device in a bag and a few seconds of physical proximity is all that is needed. The attack has to be done outside of the enterprise, Internet connectivity is not required and active cooperation of the target is not required. Thus, the attack may occur anywhere and the target would not notice anything. We showed in that paper that by just wandering around for a few hours in regions not covered by a wireless network we collected 200 enterprise credentials. And, that by remaining for a few seconds at less than 35 meters from a specific (voluntary) target, you may steal his/her enterprise credentials; even when he/she is sitting in a car with close windows. 

An important question is whether people and organizations are actually aware of those risks and thus configure wi-fi devices appropriately. Anecdotal evidence and our own experience suggested us that this is not the case. For this reason, we decided to run a survey among eduroam users in order to gain insights into how people actually configure their devices. We asked for help from a number of friends and we managed to collect almost 1000 answers for more than 2000 devices. We are very grateful to all those that helped us in this activity. We promised to make the results available and here they are. The results are summarized and discussed in a paper (In)Secure Configuration Practices of WPA2 Enterprise Supplicants (preprint on arXiv)We complemented the user survey with a manual review of 311 configuration guides published on the web by 69 research institutions in 17 different countries, to assess whether organizations do promote correct configurations.

Our analyses strongly suggest that a requirement fundamental for enjoying the security guarantees of WPA2 Enterprise is  is violated systematically. We hope that our results will help in disseminating awareness of the risks associated with insecure configuration of WPA2 Enterprise supplicants and in promoting more secure usage and configuration practices.