All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations

 

 

MLIS student, Kin Man Leung, is one of the authors of a recent study that has found that the majority of manual instructions provided by tertiary education institutes (TEIs) lead to insecure Wi-Fi configurations. As a result, nearly 86% of these institutions can suffer from potential credential thefts on at least one of the supported operating systems. This research was an international collaboration involving The Chinese University of Hong Kong, The University of Iowa, The University of British Columbia, Syracuse University and Visa Research.

In their study, researchers performed a multi-faceted measurement study to investigate the widespread insecure practices employed by TEIs around the globe when offering WPA2-Enterprise Wi-Fi services. The security of these services critically depends on (1) the connection configuration on the end-user’s device, and (2) the encryption protocol (TLS) setup on the authentication servers.

Their findings showed that some TEIs have server-side configuration issues in their eduroam Wi-Fi, and many of them instruct students and staff to adopt insecure Wi-Fi configurations on their devices, opening doors to credential thefts by malicious entities. The research team’s recommendation for IT administrators is to prescribe detailed and secure configuration instructions. In addition to this, users should adequately configure their devices to perform the certificate verification.

This paper was presented last week at The 28th ACM Conference on Computer and Communications Security (CCS 2021), which was held virtually. The CCS is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results.

For UBC users, the researcher team also recommends verifying the fingerprint (a.k.a thumbprint) of the server certificate when connecting to the UBC WiFi network. The fingerprint information can be found on this UBC IT webpage.

The full paper can be accessed here. If you are interested in knowing more technical details, please feel free to contact the corresponding author, Sze Yiu Chau, at sychau@ie.cuhk.edu.hk.

Leave a Reply