CAF – Evil-twin EAPHammer Attack Mitigation for eduroam

Issue

It has come to our attention that eduroam users may be exposed to a security breach if their device is not configured properly.

Context

We have learned that an institution conducting penetration testing has been able to successfully infiltrate the eduroam Wi-Fi network by deploying a rogue Access Point (AP). This “Evil Twin” AP, broadcasting the “eduroam” SSID, was able to capture a number of IDs from improperly configured devices (using the publicly available, EAPHammer tool), and later decrypt user passwords from the captured hash.

This attack vector is not new but is becoming easier to mobilize. It will have increased visibility as more institutions perform pen-testing on campuses and as (some) students investigate avenues to breach institutional security.

What to Do – IT Staff

We strongly recommend that institutions participating in the Canadian Access Federation have a security (Configuration Assistant Tool, or CAT) profile with the ‘Enable Anonymous Outer Identity’1 option selected and that they use this tool, as noted in the implementation documentation, to install eduroam on all user devices.

This tool ensures that all devices are using the correct security certificate and will prevent username compromise.

Creating a CAT profile for your institution is quick and easy on the cat.eduroam.org site.  Detailed instructions on how to do so can be found here.

Additional recommended security practices:

  • Strongly discourage users from taking shortcuts (e.g. bypassing certificate verification) that may expose them to a security breach.
  • Isolate your APs to mitigate risk of traversal attacks. Their device security settings have validation of certificates disabled.
  • Isolate your users by realm (eduroam visitors outside your firewall; trusted users inside).

What to Do: Students, Staff and Faculty

Your students, staff, and faculty will remain vulnerable to “Evil Twin” attacks if:

  • Their devices do not have the institution’s current and valid certificate installed using the CAT installer;
  • They ignore warnings on invalid certificates and choose to proceed anyway;
  • Their device security settings have validation of certificates disabled.

We strongly recommend that institutions work with user groups to ensure recommended security practices are followed.

What We’re Doing

The team at CANARIE will:

  • Ensure that all Canadian Access Federation Primary Technical Contacts of eduroam participants have access to create/manage the CAT profile for their institution. If you have any questions about accessing the https://cat.eduroam.org/ portal, please reach out to us at [email protected];
  • Continue to work with our global partners to enhance safeguards for eduroam users;
  • Provide institutions with communication materials to help promote the use of the CAT profile for device configuration (to come).

More Information

Additional information on best practices for eduroam security may be found here.


1 If you are using Microsoft’s Network Policy Server (NPS), then additional steps are required to configure the anonymous outer id.  Instructions can be found here.