You often only think about it if you are in a distant country near a university and you suddenly have free wifi without logging in: Eduroam. Hundreds of thousands of students and teaching staff use the network every day without really thinking. Which is why it is even more remarkable that ethical hackers recently revealed a very serious security problem in Eduroam.
If a hacker establishes a wifi spot called Eduroam, unsuspecting users could accidentally connect with it and send their username and password to the hacker. That in itself is a serious security problem, but worse still is that the login data of Eduroam match the login of most of the other ICT services used by students and staff, such as the computers, e-mail and the MyEUR intranet.
Recently, Erasmus University asked all Eduroam users to change their password. They can no longer choose a random new password. Chief Information Security Officer Rory O’Connor explains exactly what happened.
How could hackers find out the passwords of Eduroam users?
“Hackers were able to imitate Eduroam and get hold of the usernames and passwords. Properly secured phones and laptops should check the validity of the certificate to make sure that it is a real Eduroam wifi spot for EUR. But to do this, you need an Internet connection. Which creates a catch-22 situation: you need a working network connection to get a certificate, which you need for a working connection. Android phones in particular lack many security checks.”
Have EUR staff or students, or other academics all over the world, been victims of identity theft as far as you know?
“We have no evidence to suggest that anyone has stolen EUR passwords, but there are detailed descriptions from ethical hackers explaining how you could steal user data.”
So, if login data had been stolen, can you describe the possible consequences?
“Stolen login data are used for phishing attacks, data theft and imitating someone’s identity. Some Internet services which are free to students are very handy for hackers.”
The university now generates unique passwords for your Eduroam account, which means that hackers can no longer use any passwords they have acquired to log in to university accounts. But are the Eduroam passwords just as easy to steal as the first ones, or has that issue now been resolved?
“After an extensive investigation of the identified security problem and possible solutions, we concluded that improving the security of Eduroam would make the service difficult to configure, would limit the number of support devices and mean an end to Eduroam as a service that you can use worldwide in educational institutions. By using separate passwords, hacking has a very limited value. They cannot access the ERNA accounts with the unique password for Eduroam.”
Is EUR going to introduce diceware in more places where passwords are required, like ERNA?
“We aren’t planning to use diceware for ERNA accounts soon, because the ERNA login systems don’t support it. We are currently upgrading these systems and working on more modern password standards.”
Before 10 December
EUR now uses diceware to generate the password (‘pass phrases’ of four random words instead of the usual passwords made up of letters, numbers and characters). Many experts view diceware as a more secure method and easier to remember. You can change your password via MyEUR. If you don’t, from 10 December you will no longer be able to access Eduroam.