Multiple configuration flaws in a free Wi-Fi network used by numerous universities can allow access to usernames and passwords of students and faculty who connect to the system from Android and Windows devices, researchers have found.
A research team from WizCase, led by researcher Ata Hakçıl, reviewed 3,100 configurations of Eduroam at universities throughout Europe, finding that more than half of them have issues that can be exploited by threat actors. The misconfiguration danger could extend to other organizations globally as well, they added.
Eduroam provides free Wi-Fi connections at participating institutions. It assigns students, researchers and faculty members log-in credentials that allow them to obtain internet connectivity across different institutions by using credentials from their own university.
Specifically, researchers discovered flaws in the implementation of the Extensible Authentication Protocol (EAP) that Eduroam uses, which provides different stages of authentication as people connect to the network. Some of those authentication phases aren’t configured properly in some universities, opening security holes, they said.
“Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk,” researchers wrote in
a report posted Wednesday. “If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in range of you.”
threatpost.com
