7

My university has a wireless network I log into with my username and password. It's using PEAP. My phone and laptop automatically connect to this SSID when they detect the network.

If someone sets up a hotspot using the same SSID and my phone or laptop see this SSID, they are going to connect to this network, assuming it's the university's network. The login obviously fails (as I do not expect the cheeky guy who set up this oddly named hotspot to be aware of my username and password).

How do my username and password remain safe? E.g. this guy cannot see which username and/or password I'm using to try to login to the network, though the university network is able to verify and allow me on the network..

Can someone explain this to me?

Thanks!

Luc
  • 31,973
  • 8
  • 71
  • 135
Jochem Kuijpers
  • 274
  • 2
  • 8

1 Answers1

6

Your phone or laptop will not necessarily automatically connect to that alternate AP, because even though it has a known SSID, it also has a MAC address which does not necessarily match the one at your home. Whether a given system will be ready to disregard the MAC address change depends on that system (from an explicit experiment at home, I can say that Windows 7 will not automatically connect to a known SSID if the access point MAC address does not match). Of course, an evil attacker may have followed you home, stopping just outside of your door, and recorded the MAC address of your own WiFi AP, so that he could mimic it with his own fake AP.

Assuming that your phone/laptop does indeed connect, PEAP includes SSL/TLS, and this should protect you (subject to some caveats; see below). Basically, when using PEAP, the client (your device) opens a SSL connection with the access point, and will proceed to sending your username and password only after duly validated the access point's certificate. This mimics the situation with HTTPS Web site: the client first makes sure that it talks to the right server, and sends sensitive data only through the SSL encryption umbrella.

There are some subtle points with validation of the certificate. Revocation status will probably not be checked, because your device is trying to obtain its Internet connection, and thus won't be able to download a CRL yet. See the draft protocol for details. Also, it is a bit unclear how the client goes from "this is a valid certificate" to "this is a valid certificate for the access point I intend to talk to". I expect most WiFi/PEAP clients to record the certificate sent by the AP upon the first connection, and then to automatically reconnect (with the sending of username and password) only if the AP still sends the exact same certificate, or a certificate advertising the same server name.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    *"it also has a MAC address"* This isn't always checked. I think Symbian did, Android 4.1 doesn't seem to. Wouldn't this cause problems with multiple APs from one network? I'm sure Android and Windows handle this right, so I'd guess the MAC is not checked for that reason. *"I expect most WiFi/PEAP clients to record the certificate sent by the AP upon the first connection"* I'd expect that too, but I'm not sure. I couldn't easily find an answer to this on google. Linux Mint asks whether to accept the self-signed certificate, Windows and Android don't. – Luc Sep 24 '13 at 19:20
  • This answers my question almost completely, one thing remains unclear though: How is the university network able to verify my credentials and still hiding my credentials for the 'fake accesspoint' (the hotspot)? – Jochem Kuijpers Sep 24 '13 at 19:26
  • 2
    Your Laptop won't send the credentials to an access point using PEAP if it has not yet verified that it is the correct AP by checking the certificate that the AP sends to it. The exchange should go like this (roughly): AP: "Hi everyone, I'm the university AP" PC: "Hi AP, I'm a laptop that belongs on your network" AP: "Cool PC, we're still using PEAP, so here is my ID" PC: " yup, looks good to me, my user is JochemKuijpers" AP: "what's his password?" PC: "sdfsjkafsk" AP: after whispering to a server behind him "That checks out, come on in" – Rod MacPherson Sep 24 '13 at 20:21
  • 2
    Witha malicious AP trying to spoof the exchange would look like this .... AP: "here's my ID" PC: "That's so fake!" rolls eyes and walks away. :) – Rod MacPherson Sep 24 '13 at 20:31
  • @RodMacPherson So a PC is the computer equivalent of a 13yo girl? Macs ftw! :P –  Sep 25 '13 at 03:28
  • @TerryChia Just trying to make it easy to understand and interesting to read. Tom already tried a technical answer. – Rod MacPherson Sep 25 '13 at 16:44
  • @RodMacPherson Thanks! Good addition to Tom Leek's answer. – Jochem Kuijpers Sep 25 '13 at 18:17