Clarification note on vulnerability disclosure involving eduroam

- 28/10/2021

We report that information is circulating about a misconfiguration in the eduroam Wi-Fi network service that could expose students, faculty and staff to theft of login credentials.

We clarify that the news is actually a known form of attack and that it can reach any corporate Wi-Fi network.

The attack consists of creating an infrastructure similar to the original, with the same wireless network name (SSID) or similar, which induces the user to connect to the network in order to collect their credentials, but correct network settings and user guidance are sufficient for the risk to be avoided.


About eduroam and security

Eduroam uses the latest standards for secure encryption and authentication. Security is even far superior to typical commercial networks or home Wi-Fi networks. However, as with all systems, incorrect settings can cause security problems. Eduroam, however, is not more or less affected than any other corporate Wi-Fi network.

To ensure a secure setup, it is important that wireless network administrators follow and adhere to corporate wireless networking standards and security recommendations. Additionally, RNP and eduroam international also provide recommendations for administrators and users.


User Guidelines

It is recommended that users correctly follow their institution's guidelines regarding authentication to the service. Eduroam provides a setup wizard to assist you with authentication, which mitigates the risk of accessing a fake eduroam network.

Access CAT eduroam  and download your institution's customized wireless network setup wizard. Wizards/installers are available for different types of devices. In the case of cell phones, access is via the GET eduroam (Android and IOS) or CAT eduroam (Android version less than 8) application.

Access the User Manual

If you cannot find your institution in the list of CAT eduroam or APP GET eduroam, ask your institution's IT service to implement this configuration.


Guidelines for network administrators

Network administrators, in addition to the default security settings for corporate Wi-Fi networks, are strongly recommended to create and maintain custom installers in CAT eduroam through the administration option.

If you administer eduroam at your institution and do not have access to the CAT yet, contact RNP's service team.

For more information access the User Help Center.