Attacks and vulnerabilities of Wi-Fi Enterprise networks: User security awareness assessment through credential stealing attack experiments

Enterprise Wi-Fi networks are essential for businesses and public administrations as they provide a perfectly scalable and secure system. In the university environment, they are often deployed to offer services to students. One of the most famous university Wi-Fi Enterprise networks is Eduroam, which stands for education roaming; it is a worldwide Wi-Fi access and roaming service widely adopted by the international research and education community. It is based on 802.1x mechanisms that use TLS tunnels for achieving mutual authentication goals, and, as such, it requires careful configuration of mobile devices and responsible users’ behaviors to avoid trivial attacks carried out with rogue Access Points (APs). Differently than employees in a corporate network whose devices are properly configured by ICT teams, the user base of Eduroam consists of (likely) millions of students and professors around the world, with a myriad of different and uncontrolled devices. To assess the security of 802.1x in general, and more specifically that of Eduroam, we ran attacks against two communities of students of increasing size in order to test how users (and their devices) react when rogue 802.1x APs appear in the list of available networks. We then focused our attention on devices, and investigated their detailed dependence on different WPA-Enterprise configurations and certificate settings. The aftermath is that, even with a completely passive attack (users are keeping devices in their pockets), it is possible to steal credentials from more than one-third of the students. While most of the 802.1x vulnerabilities employed in this work should be considered somewhat known (being disclosed in former technical papers), our work appears to raise a threefold concern: (i) most pragmatic 802.1x configurations appear to be grossly insecure; (ii) no Apple’s iPhone felt in our attack unless explicitly forced by the user, owing to its reduced possibility for a user to misconfigure the terminal; and (iii) the awareness of Wi-Fi authentication threats even in relatively skilled end users is close to zero.