eduroam advisory – Mutual Authentication

The eduroam team is aware of a vulnerability report originally from WizCase and republished from numerous secondary sources regarding eduroam. There were similar publications (Bartoli et al.) in the past about Wi-Fi security, some specific to eduroam or the technologies that build eduroam, that also received analysis in the eduroam community.

eduroam is based on the most secure encryption and authentication standards in existence today, using Enterprise Wi-Fi standards; its security by far exceeds typical commercial hotspots or home Wi-Fi.  As with all systems, incorrect configuration can cause security issues: eduroam is no more or less affected than any other enterprise Wi-Fi network. To ensure a secure set-up, there is nothing you need to do for eduroam that you wouldn’t already need to do for any other Wi-Fi network that uses the WPA Enterprise (802.1x and EAP) standards.

eduroam provides an overview of its security on this site and supports organisations to configure eduroam correctly.  Users should ensure that they either:

  • Follow proper installation processes given to them by their organisation; or
  • Use configuration profiles provided by the organisation via the eduroam Configuration Assistant Tool (CAT) or geteduroam.

Organisations with proper instructions and/or configuration profiles as above take all necessary security precautions, and users following those instructions are secure, even when the authentication method TTLS-PAP is used. It is therefore inappropriate to call out organisations with such instructions as being negligent in terms of security.

Only poor configuration of eduroam can lead to so-called man-in-the-middle attacks via rogue hotspots.  It is important that when a user sees an “eduroam” connection that they can trust that it is an authentic hotspot.  Proper installation processes and configuration profiles ensure that user information is only sent to the home organisation. These checks are similar to those you might take before entering your bank credentials – such as checking the domain name of your bank and ensuring the browser “lock” is in place. Likewise, in eduroam a user must never disable the security validation or accept a rogue certificate in order to connect.

Properly configured eduroam clients will never leak credentials to rogue Access Points, regardless of the authentication type they use, and they will not connect to these networks either.

More technical information for implementers can be found on the eduroam wiki.


Skip to content