The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Am 02.04.19 um 15:33 schrieb Andre Forigato:
> If a hacker installs an access point with the name of Eduroam, and
> this access point points to a Freeradius server, it is possible that
> the malicious person sees all the logins and passwords in the
> Freeradius logs.

Stefan says it: You have re-discovered the so-called Evil-Twin attack
which became widely known around 2008 (very soon after eduroam started to 
really take off).
What made it a real security disaster was the horrible certificate handling
of all Android versions up to and including Android 6.
- The user had no access whatsoever to 400+ root certs the Java cert store 
does carry.
  Rather you had to re-install a root cert manually in a tedious, error-prone 
process.
- When confronted with _some_ network claiming to be eduroam, the network 
stack would
  immediately log on to this SSID, literally pushing the user's credentials 
to their
  RADIUS server. And because a typical Android device is "always on", the 
process goes
  totally unnoticed by the user.

Other platforms (iOS, Windows) would at least ask the user and require a 
manual
consent (so at least nothing happens as long as your iPhone remains in your 
pocket).

And this is exactly where CAT comes in: The Android app currently is simply
the best tool to secure your users' network access on the platform.
Starting with Android 7, a user does have access to said JAVA cert store
("Use system certificates" in WiFi settings). This is what web browsers
usually do, and it's way better than not checking anything.

Other measures to fight password leakage include:
- EAP-TLS with client certs (requires own PKI)
- the requirement of a special outer identity not easily
  configured by a naive user, thus pushing him/her to use CAT.

From the technical point, EAP-PWD seems interesting:
Smart Password verification with few EAP packets, the password is
never transmitted. (IMO same idea as MS-CHAP, but much better implementation).
Colleagues from some German universities report it to work well
with FreeRADIUs on the server side and Linux and Android
as clients. Some with support contracts are also pushing
Apple to include it, but no feedback yet.
Would it make sense to support it in the GEANT-Link supplicant in the future?


Cheers, Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature