'Careful with that Roam, Edu': experimental analysis of Eduroam credential stealing attacks

Eduroam, which stands for education roaming, is a world-wide Wi-Fi access and roaming service largely exploited by the international research and education community. Eduroam's authentication relies on the same long-term credentials used by students and professors to access critical education/research services. To assess the real-world security of Eduroam, we i) implemented a credential stealing attack based on a rogue Eduroam setup, ii) ran a controlled experiment with 37 relatively skilled real world users (mainly electrical or computer engineering students), and iii) for four heterogeneous selected devices, we investigated their more detailed dependence on different WPA-enterprise configurations and certificate settings. The aftermath is that, even with a completely passive attack (users were keeping devices in their pocket), we stole credentials from more than one third of the participants. While most of the Eduroam vulnerabilities employed in this work should be considered somewhat known (being disclosed in former technical papers), our work appears to raise a threefold concern: i) most pragmatic Eduroam configurations appear to be grossly insecure; ii) no Apple's iPhone felt in our attack, owing to its reduced possibility for an user to misconfigure the terminal; and iii) there is a limited awareness of Wi-Fi authentication threats even in relatively skilled end users.