Document Open Access Logo

A Study of Security Issues of Eduroam Networks in Portugal

Authors Luís Miguel Batista, Hélder Gomes , João Rafael Almeida

PDF
Thumbnail PDF

File

OASIcs.SLATE.2024.14.pdf
  • Filesize: 1.12 MB
  • 14 pages

Document Identifiers

Author Details

Luís Miguel Batista
  • DETI/IEETA, LASI, University of Aveiro, Portugal
Hélder Gomes
  • ESTGA/IEETA, LASI, University of Aveiro, Portugal
João Rafael Almeida
  • DETI/IEETA, LASI, University of Aveiro, Portugal

Funding

This work has received support from the EU/CINEA Innovation and Networks Executive Agency under grant agreement No 29335026.

Cite As Get BibTex

Luís Miguel Batista, Hélder Gomes, and João Rafael Almeida. A Study of Security Issues of Eduroam Networks in Portugal. In 13th Symposium on Languages, Applications and Technologies (SLATE 2024). Open Access Series in Informatics (OASIcs), Volume 120, pp. 14:1-14:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024) https://doi.org/10.4230/OASIcs.SLATE.2024.14

Abstract

Enterprise Wi-Fi networks provide seamless connectivity for businesses and public entities. In educational settings, these networks are essential for delivering services to students. Eduroam is one of the most widely recognized university Wi-Fi enterprise networks. It uses 802.1x protocols and TLS tunnels to establish mutual authentication. Eduroam caters to a diverse population of students and faculty worldwide, managing a vast number of unregulated devices, some of which, require manual configuration to operate in a secure setting. This study aims to evaluate the security robustness of the 802.1x protocol, particularly within the Eduroam framework. A comprehensive study was conducted to examine compliance with institutional instructions for network configuration guidance. The results from 91 Portuguese institutions using Eduroam revealed that many lacked knowledge of Wi-Fi security. This lack of awareness is then passed on to users, resulting in vulnerable connections.

Subject Classification

ACM Subject Classification
  • Security and privacy → Operating systems security
  • Security and privacy → Intrusion detection systems
  • Security and privacy → Security requirements
  • Security and privacy → Formal security models
Keywords
  • Eduroam
  • Wi-Fi
  • Credential stealing
  • Attack
  • Network
  • Security

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

References

  1. Institutions in portugal that use eduroam. https://eduroam.pt/instituicoes-ligadas/. Accessed: 2023-11-14.
  2. Mohamed A Abo-Soliman and Marianne A Azer. A study in wpa2 enterprise recent attacks. In 2017 13th International Computer Engineering Conference (ICENCO), pages 323-330. IEEE, 2017. URL: https://doi.org/10.1109/ICENCO.2017.8289808.
  3. Mohamed A Abo-Soliman and Marianne A Azer. Enterprise wlan security flaws: Current attacks and relative mitigations. In Proceedings of the 13th International Conference on Availability, Reliability and Security, pages 1-8, 2018. URL: https://doi.org/10.1145/3230833.3230836.
  4. Claudio Ardagna, Stephen Corbiaux, Koen Van Impe, and Radim Ostadal. ENISA THREAT LANDSCAPE 2023, 2023. URL: https://doi.org/10.2824/782573.
  5. Alberto Bartoli, Eric Medvet, Andrea De Lorenzo, and Fabiano Tarlao. (in) secure configuration practices of wpa2 enterprise supplicants. In Proceedings of the 13th International Conference on Availability, Reliability and Security, pages 1-6, 2018. https://arxiv.org/abs/1806.03215, URL: https://doi.org/10.48550/arXiv.1806.03215.
  6. Alberto Bartoli, Eric Medvet, Andrea De Lorenzo, and Fabiano Tarlao. Enterprise wi-fi: We need devices that are secure by default. Communications of the ACM, 62(5):33-35, 2019. URL: https://doi.org/10.1145/3319912.
  7. Alberto Bartoli, Eric Medvet, and Filippo Onesti. Evil twins and wpa2 enterprise: A coming security disaster? computers & security, 74:1-11, 2018. URL: https://doi.org/10.1016/J.COSE.2017.12.011.
  8. Luís Miguel Batista, Hélder Gomes, and João Rafael Almeida. Challenges and Solutions for Eduroam Network Security. Procedia Computer Science, 2024. Google Scholar
  9. Sebastian Brenza, Andre Pawlowski, and Christina Pöpper. A practical investigation of identity theft vulnerabilities in eduroam. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 1-11, 2015. URL: https://doi.org/10.1145/2766498.2766512.
  10. Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu. Man-in-the-middle attacks without rogue ap: when wpas meet icmp redirects. In 2023 IEEE Symposium on Security and Privacy (SP), pages 3162-3177. IEEE, 2023. URL: https://doi.org/10.1109/SP46215.2023.10179441.
  11. Matheus E Garbelini, Chundong Wang, and Sudipta Chattopadhyay. Greyhound: Directed greybox wi-fi fuzzing. IEEE Transactions on Dependable and Secure Computing, 19(2):817-834, 2020. URL: https://doi.org/10.1109/TDSC.2020.3014624.
  12. Seema B Hegde, Aditya Ranjan, Aman Raj, Krishanu Paul, and Smritimay Santra. Wpa2 based wireless enterprise configuration. In 2021 IEEE International Conference on Mobile Networks and Wireless Communications (ICMNWC), pages 1-8. IEEE, 2021. URL: https://doi.org/10.1109/ICMNWC52512.2021.9688387.
  13. Christopher P Kohlios and Thaier Hayajneh. A comprehensive attack flow model and security analysis for wi-fi and wpa3. Electronics, 7(11):284, 2018. URL: https://doi.org/10.3390/electronics7110284.
  14. Karim Lounis and Mohammad Zulkernine. Bad-token: denial of service attacks on wpa3. In Proceedings of the 12th International Conference on Security of Information and Networks, pages 1-8, 2019. URL: https://doi.org/10.1145/3357613.3357629.
  15. Ivan Palamà, Alessandro Amici, Gabriele Bellicini, Francesco Gringoli, Fabio Pedretti, and Giuseppe Bianchi. Attacks and vulnerabilities of wi-fi enterprise networks: User security awareness assessment through credential stealing attack experiments. Computer Communications, 212:129-140, 2023. URL: https://doi.org/10.1016/j.comcom.2023.09.031.
  16. T Perković, A Dagelić, M Bugarić, and M Čagalj. On wpa2-enterprise privacy in high education and science. Security and Communication Networks, 2020:1-11, 2020. URL: https://doi.org/10.1155/2020/3731529.
  17. Domien Schepers and Aanjhan Ranganathan. Privacy-preserving positioning in Wi-Fi fine timing measurement. Proceedings on Privacy Enhancing Technologies, 2022. URL: https://doi.org/10.2478/popets-2022-0032.
  18. Rajeev Singh and Teek Parval Sharma. On the ieee 802.11 i security: a denial-of-service perspective. Security and Communication Networks, 8(7):1378-1407, 2015. URL: https://doi.org/10.1002/sec.1079.
  19. Suroto Suroto. Wlan security: threats and countermeasures. JOIV: International Journal on Informatics Visualization, 2(4):232-238, 2018. URL: https://doi.org/10.30630/joiv.2.4.133.
  20. Erik Tews and Martin Beck. Practical attacks against wep and wpa. In Proceedings of the second ACM conference on Wireless network security, pages 79-86, 2009. URL: https://doi.org/10.1145/1514274.1514286.
  21. Mathy Vanhoef and Frank Piessens. Advanced wi-fi attacks using commodity hardware. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 256-265, 2014. URL: https://doi.org/10.1145/2664243.2664260.
  22. Mathy Vanhoef and Frank Piessens. Key reinstallation attacks: Forcing nonce reuse in wpa2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1313-1328, 2017. URL: https://doi.org/10.1145/3133956.3134027.
  23. Mathy Vanhoef and Eyal Ronen. Dragonblood: Analyzing the dragonfly handshake of wpa3 and eap-pwd. In 2020 IEEE Symposium on Security and Privacy (SP), pages 517-533. IEEE, 2020. URL: https://doi.org/10.1109/SP40000.2020.00031.
  24. Kailong Wang, Yuwei Zheng, Qing Zhang, Guangdong Bai, Mingchuang Qin, Donghui Zhang, and Jin Song Dong. Assessing certificate validation user interfaces of wpa supplicants. In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, pages 501-513, 2022. URL: https://doi.org/10.1145/3495243.3517026.
  25. Yulong Zou, Jia Zhu, Xianbin Wang, and Lajos Hanzo. A survey on wireless security: Technical challenges, recent advances, and future trends. Proceedings of the IEEE, 104(9):1727-1765, 2016. URL: https://doi.org/10.1109/JPROC.2016.2558521.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact