SCP Security Seminar
Speaker: Hugo (Man Hong) Hue
Title: All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations
Abstract: In this paper, we perform the first multifaceted measurement study to investigate the widespread insecure practices employed by tertiary education institutes (TEIs) around the globe when offering WPA2-Enterprise Wi-Fi services. The security of such services critically hinges on two aspects: (1) the connection configuration on the client-side; and (2) the TLS setup on the authentication servers. Weaknesses in either can leave users susceptible to credential theft. Typically, TEIs prescribe to their users either manual instructions or pre-configured profiles (e.g., eduroam CAT). For studying the security of configurations, we present a framework in which each configuration is mapped to an abstract security label drawn from a strict partially ordered set. We first used this framework to evaluate the configurations supported by the user interfaces (UIs) of mainstream operating systems (OSs), and discovered many design weaknesses. We then considered 7045 TEIs in 54 countries/regions, and collected 7275 configuration instructions from 2061 TEIs. Our analysis showed that majority of these instructions lead to insecure configurations, and nearly 86% of those TEIs can suffer from credential thefts on at least one OS. We also analyzed a large corpus of pre-configured eduroam CAT profiles and discovered several misconfiguration issues that can negatively impact security. Finally, we evaluated the TLS parameters used by authentication servers of thousands of TEIs and discovered perilous practices, such as the use of expired certificates, deprecated versions of TLS, weak signature algorithms, and suspected cases of private key reuse among TEIs. Our long list of findings have been responsibly disclosed to the relevant stakeholders, many of which have already been positively acknowledged.
Biography: Man Hong Hue is a first-year Ph.D. student in Computer Science at the Georgia Institute of Technology (School of Cybersecurity and Privacy). His research focuses on network security, internet measurement, and usable security. The goal is to detect and address large-scale security threats/issues, considering human factors. He obtained a Bachelor in Information Engineering at the Chinese University of Hong Kong (CUHK) in 2020. Before joining Georgia Tech, he had been working with Prof. Sze Yiu Chau at CUHK and collaborating with Prof. Omar Chowdhury and Prof. Endadul Hoque. His work on the security of WPA2-Enterprise and PKCS1 v1.5 implementations has been published at the ACM Conference on Computer and Communications Security (CCS) in 2021.