Hokie Privacy

Wifi Security

As of January 2015, Virginia Tech now offers several ways to connect to wifi:

• VT-Wireless, an encrypted general purpose network

• CONNECTtoVT-Wireless, an unauthenticated captive portal network used for initial setup of VT-Wireless

• eduroam, a federated network access service for users visiting from other participating universities

VT-Wireless Encryption

VT-Wireless supports two methods of connection: PEAP-MSCHAPv2 with a network password and EAP-TLS with certificates.

The instructions provided for setting up both methods do not configure your device to properly validate the TLS server certificate. In some situations, such as on Android, it is not possible to configure proper validation at all, while on other platforms it requires additional setup which is not documented by CNS. Failure to set up this proper validation means that the access points you connect to are not properly authenticated, so anyone can set up a rogue “VT-Wireless” access point and use it to conduct a man-in-the-middle attack on your traffic. If done properly, this will be completely transparent to you.

In the case of PEAP-MSCHAPv2, where you use your PID and network passphrase to authenticate, this lack of authentication also means that anyone who has setup a rogue access point can conduct attacks to recover your network passphrase, allowing someone to impersonate you on both wifi and the VPN. Although MSCHAPv2 is supposed to protect against this, design flaws in the protocol rendered the protections it claims to provide useless. Some of the attacks on MSCHAPv2 are detailed below.

• Bruce Schneier published a cryptanalysis revealing that authentication was vulnerable to a dictionary attack on a user’s password as it does not use any encrypted key exchange.

• A 2001 paper by Jochen Eisinger demonstrated a practical rainbow tables attack on MSCHAPv2.

• In 1998, the EFF built Deep Crack, a cluster of ASICs able to brute force the 56-bit DES keyspace in 56 hours for the cost of $250,000. This would allow your network passphrase to be recovered.

• At DEFCON 20, security researchers demonstrated a way to decrypt the MSCHAPv2 session, including your network passphrase, with a 100% success rate. A tool has been open-sourced to assist with this, and a cloud service offers decryption for $17 in 20 minutes.

Best Practice Recommendations

Due to the severe MSCHAPv2 vulnerabilities, users are urged to setup certificates for authentication. Instructions for doing so on Linux are available on VTLUUG’s wiki, and CNS directly supports Windows and OS X.