Revision history [back]

I looked into ConnMan and especially into WPA Enterprise authentication used for example in eduroam and company networks. Currently it seems possible via developer mode to install configuration file for ConnMan, which allows the wpa_supplicant to verify that the authentication server certificate is certified by certain certificate authority (CA). This however leaves an option to perform man-in-the-middle attack and catching the user credentials using different certificate signed by the same CA.

An example of this:

Company's or University's authentication server's certificate is a Thawte's SSL123 certificate signed by Thawte CA. ConnMan profile is configured to verify that the authentication server's certificate is verified by Thawte CA. Because ConnMan does not support certificate detail verification such as for example CN (usually the authentication server name), ConnMan instructs wpa_supplicant to accept any Thawte CA verified certificate. This creates an opportunity to set up man-in-the-middle attack box where some other Thawte signed certificate is used to lure device to connect and send the user credentials to the attacker.

This same problem exists for Android platform and most Linux distributions even if the wpa_supplicant used for connecting to WiFi networks is perfectly capable to do certificate detail and fingerprint checking.

I looked into ConnMan and especially into WPA Enterprise authentication used for example in eduroam and company networks. Currently it seems possible via developer mode to install configuration file for ConnMan, which allows the wpa_supplicant to verify that the authentication server certificate is certified by certain certificate authority (CA). This however leaves an option to perform man-in-the-middle attack and catching the user credentials using different certificate signed by the same CA.

An example of this:

Company's or University's authentication server's certificate is a Thawte's SSL123 certificate signed by Thawte CA. ConnMan profile is configured to verify that the authentication server's certificate is verified by Thawte CA. Because ConnMan does not support certificate detail verification such as for example CN (usually the authentication server name), ConnMan instructs wpa_supplicant to accept any Thawte CA verified certificate. This creates an opportunity to set up man-in-the-middle attack box where some other Thawte signed certificate is used to lure device to connect and send the user credentials to the attacker.

This same problem exists for Android platform and most Linux distributions even if the wpa_supplicant used for connecting to WiFi networks is perfectly capable to do certificate detail and fingerprint checking.