Last updated: 
2 months 2 weeks ago
Blog Manager
eduroam Service News Follow us on Twitter @eduroamuk - for news, interest, information, photos and fun. Contents - click on item and scroll to bottom of box to read item 15/04/19 - Advisory: EAP-PWD Vulnerability 12/10/18 - Advisory: Injection of Operator-Name attribute by the NRPSs 23/02/18 - eduroam Seminar pre-Networkshop 2018 - FreeRADIUS 4 etc 24/10/17 - Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK 14/07/16 - Release of Technical Specification v1.4 10/05/16 - Advisory: Ending of RADIUS Accounting within eduroam(UK) 22/01/15 - eduroam Support Clinic Tues March 1st 14:15-15:30 18/09/15 - Advisory: Impact of change of Certificate Service CA for eduroam Home (IdP) service providers 27/01/15 - eduroam now available at seven hospitals in Cardiff 22/01/15 - eduroam Support Clinic Tues January 27th 10:45-12:00am 23/12/14 - Calling Station Identity 01/12/14 - New DNS Name for eduroam(UK) Support Server 19/12/14 - eduroam Support Clinic Tues January 6th 10:45am 28/11/14 - eduroam Support Clinic Tues December 2nd 10:45am 19/11/14 - Advisory: Microsoft Security Bulletin Affecting NPS and IAS 27/05/14 - eduroam training course June 11-12 Birmingham; Aug 6-7 Aug Bristol 08/04/14 - Advisory: OpenSSL TLS Heartbleed Vulnerability rev 1.1 21/02/14 - Auth Timestamp Feature on eduroam(UK) Support Server 30/10/13 - Release of FreeRADIUS 2.2.2 07/10/13 - Release of FreeRADIUS 3.0.0 17/09/13 - Release of FreeRADIUS 2.2.1 13/06/13 - Release of Technical Specification v1.3 13/06/13 - eduroam training course June 27 Glasgow 23/04/13 - eduroam training courses July 24-25 London 23/04/13 - Chargeable User Identity how-to guide now available in Library 25/03/13 - eduroam training courses May 2-3 Manchester 24/02/13 - Time for a review of your eduroam deployment - Technical Specification v 1.2 Main Changes from v 1.1 30/01/13 - Configuration Assistant Tool (CAT) now available - builds eduroam client installers for user devices 23/01/13 - Advice regarding keeping eduroam credentials secure 09/01/13 - eduroam(UK) Announcement of Change of Name of the Janet Roaming Service to eduroam(UK) 19/11/12 - Uptake of NAPTR record definition in DNS (to enable RadSec DD) is increasing 31/10/12 - eduroam(UK) Support Server Update: Nagios LG and check for NAPTR records 30/10/12 - Cisco ACS 5.4 released: now support Operator-Name 29/10/12 - Unscheduled service outage Friday 26/10/2012 1:02 AM - 9:48 AM 03/10/12 - Advisory: Improving Efficiency of International Authentication through utilisation of RadSec at National Level 11/09/12 - Advisory: FreeRADIUS 2.1.10,11,12 Security

Group administrators:

eduroam(UK) Advisory: WPA2 Key Reinstallation Attacks vulnerability, KRACK

Released: 24th October 2017

This advisory is relevant to all eduroam(UK) Home (IdP) and Visited (SP)  service organisations. It’s aim is to bring to the attention of our community the vulnerability of WPA2 to Key Reinstallation Attacks (KRACK) and describes the position of eduroam.org together with recommend actions to be taken.

Background and scope:

The WPA2 Key Reinstallation Attacks vulnerability, KRACK was discovered by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven and first publicised on 16th October, gathering much media/internet attention. Whilst this is Wi-Fi issue and not core eduroam, since we mandate use of WPA2 for eduroam Wi-Fi, a statement on the vulnerability is appropriate.

The eduroam.org position is described here https://www.eduroam.org/2017/10/18/key-reinstallation-attack-and-wpa2/  and the discoverer of the vulnerability has described it in detail on https://www.krackattacks.com/

Summary:

An attacker within range of a victim can exploit weaknesses using key reinstallation attacks (KRACKs). The attack is that a temporal encryption key (essentially a bitstream meant to work as a one-time pad) which is meant to be used only once (a per-packet key) is forced to be used more than once. This can lead to the attacker being able to read information that was previously assumed to be safely encrypted. Sensitive information such as credit card numbers, passwords, chat messages, e-mails, photos, etc can be stolen. Depending on the network configuration, it is also possible to inject and manipulate data, resulting in for example, injection of ransomware or other malware into websites. Although websites or apps may use HTTPS as an additional layer of protection, it is warned that this extra protection can still be bypassed in a worrying number of situations including in Apple's iOS and OS X, in Android apps and even in VPN apps. The attack is directional, meaning that the direction, client to AP / AP to client, in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Manufacturers are responding and patching is becoming available for both APs and clients.

Action advised:

It is recommended that Wi-Fi network administrators responsible for wireless networks closely monitor the availability of software updates from vendors and patch as soon as possible. An intermediate measure is to disable 802.11r (aka Fast Roaming) on APs until an update is available. Users should be made aware that until their phones, tablets and laptops are patched, there is a risk to the security of sensitive information transmitted over all WPA2 networks (including home, café, airport and other enterprise wireless networks). However WPA2 represents the best currently available technology and reversion to other techniques is not advised.