0

At CERN the WiFi used, is not using any encryption. This means that it is a plain, standard Wi-Fi network with no authentication.

However, it is mandatory to register each device when first connecting to this internal network, for security purposes. Obviously, the device model, name of the owner, MAC address and the MAC/IP address of the access point from which one registers such a device is recorded.

How secure is this setup? Doesn't this setup allow for a "malicious", but registered on the campus network device to capture unencrypted traffic, between a third party device and any WiFi access point?

Also even if a connection is encrypted like on the https://security.stackexchange.com, such an attacker could see the IP address requested, is that so?

schroeder
  • 123,438
  • 55
  • 284
  • 319
wizOfOz
  • 1
  • The initial connection is unencrypted, but little sensitive information is exchanged. It is then upgraded to an encrypted connection. Wireless networks are often this way because the standard for beacon frames specifies only one bit for indicating security, and that bit indicates WEP- so if you see this, avoid it. (there are additional options for other authentication but they are optional). In short: it's likely safe, it just encrypts everything after you've connected. If in doubt, use a VPN. – Pheric Oct 02 '20 at 14:57
  • Also, you can listen for wifi frames without being associated to a network. Wifi antennas blast data in all directions and if you have the right hardware you can read everything going on around you. You may be confusing this with intercepting traffic like HTTP. Is that registration page (called a captive portal) HTTP or HTTPS? If it's HTTP, then theoretically one could read your information if they could man-in-the-middle your traffic. – Pheric Oct 02 '20 at 15:00

2 Answers2

1

At the front end, it may not seem very secure. All that is used for verification is the MAC, and that is easily spoofed. An unregistered device on the campus should be able to sniff the network traffic as well. But you need to be on location (or close by).

CERN has explicitly chosen to offer just a bare level of security on the network. Or, to put it in CERN's own words:

At CERN, the individual users are in first instance responsible for securing their computers, networks, data, systems & services.

(CERN Computer Security Announcements)

and

As the “CERN” Wi-Fi network security mode is “open”, no specific settings are required (no WPA, no 802.1x options, etc…), but please note that this also means that the traffic you send over the Wi-Fi network is not encrypted. You should ensure that any sensitive data is encrypted at the application level (SSH, HTTPS, SSL, VPN, etc.).

(CERN WIFI Service FAQ)

On the other hand, most traffic is encrypted anyway (SSH, HTTPS etc.)

In addition, CERN does quite a bit of security monitoring.

So, is it safe? For CERN, safe enough. Would this set-up work in other areas, like financial institutions? Probably not.

Ljm Dullaart
  • 1,897
  • 4
  • 11
0

This isn't really that secure. First, anyone with a laptop in range can capture any Wi-Fi packets sent with a tool like Kismet or similar. If those packets are not encrypted, then anyone can intercept them. Moreover, any reasonably determined attacker can also send spoofed packets pretending to be from an authenticated user whose MAC address and IP address they can determine. Using a secure WPA2 or WPA3 configuration, whether using PSK or EAP, prevents this from happening.

Second, anyone who is able to be on the network (whether that's by spoofing packets as above or as a real, legitimate user) can probably intercept traffic for any device on that network provided it's on the same VLAN. For IPv4, this is done via an ARP spoofing attack, which can be carried out with a tool like Ettercap. WPA2 and WPA3 prevent random people from doing this unauthenticated, but of course that doesn't prevent a malicious user who is legitimately authenticated from doing this.

Even with WPA2, it's still possible for a random attacker to conduct certain attacks, such as disassociation attacks, unless 802.11w management frame protection is used. WPA3 makes 802.11w mandatory, so these attacks cannot succeed there.

However, having said all that, this is no less insecure than being on the Internet in general. We assume on the Internet that bad actors can tamper with any data that is not integrity protected and can read any data that is not encrypted. We therefore use strong encryption with robust integrity protection, such as TLS (used in HTTPS) or SSH, for almost all our data. Even public data such as DNS responses may be encrypted or signed (e.g., with DNSSEC) to ensure its integrity and prevent bad actors from tampering with it.

I suspect CERN realizes this and is more interested in making it difficult for bad actors to send packets from their network to elsewhere on the Internet. They know that modern users use secure protocols for almost everything online. Additionally, setting up WPA2-EAP requires a special profile to be set up on iPhones and can't be done without that special profile, adding additional burden for some users.

If this were my network, I would set up something like WPA2-EAP with EAP-TTLS because it's a good defense in depth measure and it makes it harder for people to be a bad actor on the network by spoofing other users. It also provides a small amount of protection for data which is normally sent unencrypted, like DNS requests.

bk2204
  • 7,828
  • 16
  • 15