2

On our campus, there are WiFi routers almost everywhere (at least inside buildings) but some areas definitely have a spottier connection, since the campus is quite large and there are many big open outside areas.

Now to connect to their WiFi, when you attempt to connect to it, it prompts you for your student username and student password (can't remember the type of connection this is off the top of my head).

What's to stop someone from walking around with a laptop acting as a router with the same name as the real routers automatically collecting my student username and password as I walk by it? If nothing really, is there something that I should be doing so that my username and password isn't collected, besides simply not using the provided WiFi?

RoboKaren
  • 153
  • 1
  • 8
  • 2
    You you specify whatever you enter username and password on the website (it's called captive portal) or in the operating system wifi dialog? – Aria Sep 16 '16 at 19:25
  • If you are using OS WiFi dialog, then you are very good (the best security option on WiFi). If you are using Captive Portal, you need TLS (SSL, or HTTPS) connection (starting with https://). Then, every time you connection is not https, everyone near-by can potentially see your traffic and also perform variety of attacks. – Aria Sep 16 '16 at 19:28
  • You can try using "HTTPS Everywhere" browser add-on and start playing with it. – Aria Sep 16 '16 at 19:35
  • @Aria Why would using the OS WiFi dialog be secure? It does not protect against an evil twin attack on WPA2. – Anders Sep 16 '16 at 20:59
  • If dialog asks for username and password that would mean it's EAP-WPA2 which protects from evil twin attack if configured properly on Linux with e.g. root CA cert or with good settings on Windows 10 or good user training. I am testing it on Windows 10 now and it seems default Windows 10 settings are quite complex so I don't know it well yet. – Aria Sep 16 '16 at 21:07

3 Answers3

1

With Captive Portal connections, about the only thing you can do is to ensure that the captive portal site is accessed only via HTTPS and make sure that the certificate is correct. If you get any kind of a certificate warning, don't connect.

You also need to take some care not to have non-secured network connections running at any time. Make sure any email clients are connecting securely and remember anything that connects without encryption, even once connected to Wi-Fi is potentially vulnerable.

You can also assume that something is always monitoring your traffic even with a valid connection. Stay clean. Don't connect to anything daft.

If you need extra protection for some reason, consider connecting via a mobile phone if you have sufficient data.

Julian Knight
  • 7,102
  • 18
  • 23
0

There are two issues:

  • the spoofed AP grabbing your username and password when you login.

  • if the spoofed site then gives you internet access, it could also then continue to eavesdrop on your communications

The main answer dealt with the first issue. And it is likely that the rogue AP won't give you net access after you provide your credentials. They would be smart too as it would lessen your suspicions and also allow them to try to grab more passwords.

You should of course have randomized, unique passwords. Once you get connected, you should immediately kick in a VPN using a psk and all traffic including dns passing through the vpn. That way even if you have a man in the middle attack from the AP, you've only lost your university account and not everything else at the same time.

RoboKaren
  • 153
  • 1
  • 8
  • The problem isn't as much with the fact that they know my WiFi username and password, but that everyone's internet credentials ARE their regular University credentials as well – Brian Leishman Sep 17 '16 at 14:46
  • My answer is explicitly not addressing the university credential portion of the question. – RoboKaren Sep 17 '16 at 17:01
-1

Always check that the address begins with https and the certificate is valid (green lock in your browser).

Do NOT trust on wifi name. I can be spoofed easily (and is likely to begin with just http).

V.Hedman
  • 29
  • 1
  • 1
  • 4