The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Per Mejdal Rasmussen <pmr AT its.aau.dk>]

On 2018-11-07 13:24, Martin Pauly wrote:
> A year ago, I had a professor from Monash University, Australia,
> staying with us. I came across
> https://www.monash.edu/esolutions/network/connect-eduroam-android
> and wrote a polite mail pointing out the problem.
> As you might expect -- no reply.
> Any ideas what to do here?

Ha, if a user uses the suggested setup from monash.edu. Then a hacker 
can steal the users login and password, and reused it to read all their 
mail.

But the problem is that even if you make very good guides, and 
auto-installers. Then there will still be a significant amount of users 
that setup eduroam (insecurely) by them self.


What we really need to do, is make Android, Linux, MACOS and iOS stop 
supporting GTC. Since Windows does not support GTC. All wireless 
networks that needs to support Windows clients, must support MSCHAPV2. 
Therefor all 802.1x wireless networks that supports username:password 
logins supports MSCHAPv2. GTC is simply not needed.

It is must better if it is only possible to steal a MSCHAPV2 challenge 
response, than a plaint text password from GTC.


Details of the flaws in the guide
---------------------------------
Phase 2 authentication: None
The access-point/radius-sever decides if GTC or MSCHAPV2 is used.

CA certificate: unspecified
The client does not check if it connects to the correct server

This means that a hacker can setup an access-point/radius-sever which 
prefers GTC over MSCHAPV2. The Android device will then happily send the 
stored login:password in clear text to the radius-sever. This is done 
without any user actions or notifications.



--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070