eduroam: Collect, Track, Hack

In this article, I will tell to you about the dreadful detail that may come over the wireless network (eduroam) and the dangers it may cause.

Most of us have passed by the university. We are all connected to eduroam networks in our student life. It is one of the indispensable situations for students and academics.

But it has a structure that can break personal privacy as well as benefit and open the door to unauthorized access! Imagine that someone can obtain the password information you use to access your student information system. Perhaps in the future, after this news, we may hear more “Graduated by changing your own grade” news :))

Before we get into the topic, I want to share some basic information with you. It will be very useful for you to better understand the issue and the threat.

About eduroam?

• The eduroam initiative started in 2003 with 6 countries.
• The technology behind eduroam is based on the IEEE 802.1X standard and a hierarchy of RADIUS proxy servers.
• it is used by students, acedemician and university guests

Expansion Process

In Turkey

125 institutions in Turkey to use the eduroam system. Turkey’s largest and most prestigious universities are also included in this infrastructure. Distribution in Turkey it is possible that you can see in the map below. You can visit http://eduroam.org.tr/participants.php for more detailed distribution of access point locations.

eduroam wifi networks in Turkey

How does eduroam work?

The technology

eduroam is based on 802.1X* and a linked hierarchy of RADIUS servers containing users’ data (usernames and passwords). Participating institutions must have operating RADIUS infrastructure and agree to the terms of use. eduroam can be set up in three easy steps:

1. Set up a RADIUS server connected to your institutional identity server (LDAP).
2. Connect your access points to your RADIUS server.
3. Federate your RADIUS server.

How does eduroam work?

The RADIUS hierarchy forwards user credentials securely to the users’ home institutions, where they are verified and validated.

To protect the privacy of the traffic from the user’s device over the wireless network, the latest up-to-date data encryption standards are used.

The user’s home institution is responsible for maintaining and monitoring user information, even when the user is at a guest campus. Thus, this data is not shared with other connected institutions.

*802.1X is an IEEE Standard for port-based Network Access Control and provides an authentication mechanism to devices wishing to attach to a LAN (local area network) or Wireless LAN. (Source: https://www.eduroam.org/how/)

Authentication on eduroam networks

In eduroam networks we have seen that it uses EAP-TTLS for outer authentication and PAP for inner authentication.

Where is the PROBLEM?

• In this structure, the most challenging point for people (unıversities) using eduroam is the use of PAP method as inner authentication.
• Another problem is that android devices send user name and password information directly without any certificate verification.

Misconfiguration

As a result of our reviews, we found that most organizations using eduroam have made misconfiguration. Due to these configuration errors, we have seen that the password is transmitted explicitly.

Some universities — inner authentication PAP setttings

Mis-Lead

In addition to the misconfigurations, we found that many organizations are directing to automatic connection for eduroam connections.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Collect and Track

Normal Probe Requests and EAP Identity Responses?

As you know, our devices cannot think location-based, so they send requests to connect around for SSID information in their memory (PNL). In these requests, the following information about the devices can be obtained.

Probe Requests

EAP Identity Responses

— — In eduroam Wireless — EAP Identity Response — —

eduroam wireless networks serve students and academics more by their design. The connection requests roaming in these networks are different from the normal connection requests (Probe Requests). Because, by structure, it contains more information about students and academics.

eduroam — EAP Identity Reponse

What can we obtain?

As you can see, we are able to learn all the information that appears in the picture below.

• Username / Real name / Student number
• Whether you are a student?
• University
• University website
• Contact’s email address
• City
• Country
• MAC address of device (manufacturer information, device type (Android, IOS, Mac ..Apple, Lenova ..))

Relationship MAP

What can you say further with this information?

Here is an image for you

With the information you collect, you can create an association map about eduroam users/people.

• Same city relationship
• Same city but different university
• Country relationship
• It’s like a department.

FROM DEFCON 27 and BLACKHAT

In addition, as a result of our analysis in Blackhat USA 2019 and DEFCON 2019, we found that there are people from the following institutions.

Profile of the eduroam users

• Password Complexity (None || Ordinary || Known Pattern)
• Same Password On Internet (Social Media Accounts, Other E-Mail Accounts, Forums, Gaming Accounts, Streaming Platforms etc.)
• Same Password Internally (Uni. E-mail, Uni Student Portals, Devices given by Uni. Admins (~Possibly joined to Active Directory Domains) etc.)
• Same Password at Home (Wireless, Laptop/Desktop)

Hack

What can we do?

• You can spread malware (with phishing)
• You can change yours or others exams notes (For fun or to graduate)
• You can access other accounts (to frame someone or ruin their academic life)
• You can recognize environmental (Follow/Read Others e-mails, Lecture records etc.)