WPA2 Enterprise security

[aryakangler]

I'm using OS X 10.11.3 on university WiFi networks (2G & 5G APs depending on your location on campus). WPA2-Enterprise [EAP-TTLS (MSCHAPv2)].

I've always been interested in breaking things, but never interested enough to risk violating the ambiguous CFAA. Of course the university also has a strict Computer & Network Security Policy. Therefore, I am in no way attempting to (or asking for information to assist in) violating either of these. My interest is purely in personal privacy and security.

I am constantly looking at the available networks and have noticed that although prohibited by the university, you don’t have to wander much to find at least one rogue AP. I suspect these APs are merely personal hotspots, but it seems possible more nefarious reasons could be lurking. One thing I've noticed is occasionally my WiFi connection drops, and a dialog box pops up requesting my login information. When this occurs, I simply close the dialog box, and I am quickly reconnected to the network. This led me to ponder the possibility of someone running a MITM style attack. Having never connected to a WPA2-Enterprise network before, I regretfully didn't pay much attention to the process. I admittedly followed the setup procedures without really questioning things. I cannot find where apple stores the CA I accepted upon first connection, but I am concerned about its validity. I went as far as deleting the network and adding it again but was not presented with a CA. Is this even a concern? If I understand what I've read, allowing users to accept a CA that is not trusted by apple is not a good idea. In these cases it sounds as if manual configuration by IT staff is necessary.

I can’t find information regarding the login prompts that occasionally popup, and if they are legitimate, how I am able to stay connected after not providing information. I believe I have located an area on campus that consistently causes a login prompt. However, i'm guessing I've been handed over to several different APs in the network extension so maybe this is why? This question has also led me to wonder what type of activity network admins have access too. Do network admins also have the ability to monitor the pages I view? I.E.: do they know I read The Hacker News daily, or visit Hak5 forums, etc,? I assume a WIDS is in use. But…. then why, or how, are these rogue APs consistently detected. Any sort of useful packet capture over 802.11x networks is next to impossible right? I haven't attempted any sort of network scan other than monitoring APs beaming SSIDs. My interpretation of the CNSP doesn't sound as if they find it acceptable to poke around their network for possible holes.

[cooper]

Accepting the CA is a very different step to connecting to a network. When you accepted the public cert of the CA it was added to your device (no idea where). When you then connected to the school network, your device accepted the encrypted connection because it could now verify its validity using this public cert. The trust model here is that only those with the private key to that CA cert can provide you with data over this connection, so a rogue AP can only kick you off this network and try to get you to connect to a different network that uses different encryption, if any. The login pop-up is called a captive portal and you might want to read up on that.

Also...

allowing users to accept a CA that is not trusted by apple is not a good idea

BULL SHIT!

You can accept any CA that you want and Apple can suck the high hard one if they have a problem with that.

The thing to remember is that when you accept a CA's cert as trusted, you thereby grant the owner of that CA the privilege to vouch for the identity of someone else - you want to talk to machine X but have no means of verifying the machine you're talking to is actually X (MitM attacks and such) so machine X presents you with a cert to which only it has the private key. That's all nice, but again, how do you know this cert is machine X's real cert? You know because any one of the CAs which you've trusted has signed that public cert and in doing so is telling you "I know machine X and vouch for the fact that this is the real machine X". If you didn't have that CA's cert, your device will likely ask you "do you trust this cert for machine X which is signed by A (and B and C)" where A might even be X (self-signed, common in more internal network-focussed scenarios where the investment in a cert is seen as an unnecessary expense). If you say 'yes' to this that cert will be added to your device and any subsequent secure communication with machine X will work based on the use of that cert.

Edited February 12, 2016 by cooper

[AlfAlfa]

I'll second that about trust. Never delegate your trust out to a third party, as in that very moment you do, that third party immediately and instantaneously becomes untrustworthy. You decide what / who you will trust or will not!

Yea, apple can go #$@* %&^!