Password security The pitfalls of eduroam

Using your home uni’s login data to access the Wi-Fi network of every other university – eduroam is the key. But users who don’t configure their computers or mobile phones correctly are at risk to be snooped on online. Researchers in the work group Information Security have found out: the login data and password on almost 50 per cent of the 1,300 tested user devices were not theft-proof.

Attackers set up fake access point

The idea behind eduroam (short for education roaming) is simple, yet brilliant: students and members of staff who spend a certain period of time at another university are able to use their home university’s login data to log into the Wi-Fi network of the university they are visiting – this saves time and effort, because there’s no need to apply for guest access. But any new technology will sooner or later attract hackers.

This is also the case with eduroam. Here, the attacker uses a laptop and a radio antenna to set up a fake access point; this enables him to find out password and user name. “If an attacker reads those data, he will gain access to many university services, including the user’s email account,” says Christina Pöpper, who has been heading the work group Information Security since 2013.

Fifty per cent of the tested devices vulnerable

She and her colleagues performed spot checks to identify how many devices at RUB are not sufficiently protected. In 2015 it turned out that almost 50 per cent of the 1,275 tested devices were vulnerable to attacks, pretty much like in the previous year. “The eduroam system is well thought-out,” explains the researcher. “However, it is based on the idea that users carry out all relevant installations on their devices. They constitute the best protection from attacks – provided they are performed correctly.” What kind of installations and how to run them is explained on the computer centre web pages.