News Details

Thousands of User Accounts of Ulm University Members Open to Attackers

Ulm University

Eduroam is a service of scientific institutions worldwide to allow each others students and employees to connect to their Wi-Fi. This surely is one of the biggest examples of international cooperation in the scientific community. A lot of Eduroam user accounts are insufficiently secured and therefore open to attacks, as concluded by researchers of the Institute of Distributed Systems in collaboration with the Communication and Information Center (KIZ). It is possible to extract users' account data with comparatively low effort, due to often faulty configuration of the account data in smartphones with the Android Operating System.

"It is essential to provide the certificate of the German Telecom (Deutsche Telekom) when setting up the account. Unfortunately, as a default, Android does not use a certificate and does not warn the user about the dangers," says security researcher Thomas Lukaseder of the Institute of Distributed Systems. Manuel Strobel, Computer Science student at Ulm University, looked into this vulnerability within the scope of his bachelor's thesis. He concluded that while most Eduroam and Android users were certain that they used the certificate, in fact two thirds of all Android devices within the Eduroam network did not. This allows attackers easy access to the account data. Tests inside and in front of the university's main canteen, in lectures and on the way from and to the university confirmed the vulnerability of the account data of over 200 university members. However, the tests merely determined the susceptibility of account, rather than retrieving any sensitive data.

The researchers of Prof. Dr. Frank Kargl's research group at Ulm University found that 47% of all devices in the eduroam network at Ulm University where vulnerable and thus confirm similar results of a study conducted at the Ruhr-University Bochum. There, 52% of all Eduroam accounts were not secured correctly. This clearly shows, that this problem persists not only in Ulm and Bochum but most likely at every scientific institution taking part in the Eduroam network. The results of both studies are similar even though the installation guide in Bochum did not include the certificate until a few months before the tests, whereas the guide provided by the KIZ in Ulm was correct. Additionally, the study executed in Ulm looked into the extent of the vulnerability dependent on the chosen major of the students. It concluded that Computer Science students are the most affected as they use Android and Eduroam far more often than other students. Technical background on the other hand has no influence on whether the accounts are configured correctly.

The student account data could be used to look up all academic grades of the affected person, subscribe or unsubscribe them to courses and exams, or to read and write e-mails from their account. The potential consequences are even more dramatic in the case of employee data. For example, in case of an examiner's account, it could be possible to change students' grades and thus even cause the de-registration of students.

If you are affected by this vulnerability, you should change your Eduroam settings according to the manual Opens internal link in current windowpublished by the KIZ on their homepage or do not use Eduroam at all. Please make sure that you use the Certificate of the Deutsche Telekom. You should also change your password after securing your account.

 

Contact: Opens window for sending emailthomas.lukaseder(at)uni-ulm.de

Contact

Secretary's Office

Marion Köhler
E-Mail
Phone: +49 731 50-24140
available in the morning
Fax: +49 731 50-24142

Postal Address

Institute of Distributed Systems
Ulm University
Albert-Einstein-Allee 11
89081 Ulm

Visiting Address

James-Franck-Ring
Gebäude O27, Raum 349
89081 Ulm
Monday, Wednesday and Thursday all day
Tuesday and Friday mornings only.

Directions