A configuration failure in a Wi-Fi system used in universities around the world, including Brazil, can expose students, faculty and staff to theft of access credentials. The breach lies in a system called Eduroam, administered in a community way by the technology departments of the institutions themselves, which are also responsible for signing protocols and the platforms necessary for the free network to work.

The discovery of the breach was made by WizCase researchers, led by Ata Hakçil. According to the team, the Android and Windows platforms are susceptible, while only users of iOS devices are immune to the opening, located at the end of last year and revealed to the public only now, in order to allow time for institutions to carry out their duties changes to their systems. From Brazil, the list includes names such as Unicamp, UFPR, UNIRIO, UFMT, Universidade de Brasília and more than two dozen others; 3,100 networks of this type around the world were analyzed, and more than half of the connections could be exploited by attackers due to a flaw in the certificate checking system.

By means of creating a fake connection with similar name and attributes, devices with automatic settings would bind to it and transmit their data, believing they are connected to the real infrastructure of the university. More specifically, the vulnerability is in a system called EAP, or Extensible Authentication Protocol. It is what allows, as in the case of Eduroam, for users to connect to Wi-Fi using their individual credentials and not a universal network password, with the user’s device transmitting their credentials in plain text in the last step of this check.