 All right, welcome back to the wireless village If you are standing you're doing it wrong come in sit down take a seat play a game watch these two guys talk I'm gonna give an introduction for these two because I don't know. I just think it's really worth it We've actually had a relationship with the scene This scene we've had a relationship with him for about three years now We we accepted his talk and then he had some visa problems And then we didn't accept this talk and he came by and brought us Turkish delight and since then he doesn't know it, but his nickname is now Turkish delight and This year we decided to give him another chance. He kept submitting and we decided we like this talks We we allowed him to to come back and he even brought his friend who is now apparently a cowboy So Two sunglass cowboy and Turkish delight everybody Hi everyone Welcome to our talk Backside can you hear me? Yes, okay, thanks today we will talk about a do driving and we focus a feed information about edu room networks and But firstly I want to say we love Wi-Fi hackers always and I am working as security engineer at barricade cyber security in Turkey and I am working at training site in all fancified and Before then I attended to black hat arsenal a lot of time and I write book about wireless attack monitor defense But language is Turkish if you want to learn secret information from my book you should learn Turkish and I developed tool name of tool Wi-Fi Hunter and can detect Wi-Fi pineapple activities and Karma attack activities and can detect and block malicious wireless network activities So today we will focus About edu room like general information Mis-configuration and mislead and gathering pseudodon information tracking pseudodon and academic staff with edu room request and We will explain something about threat in edu room and for edu room users and We collect some information and we will show How can hack the edu room users with collected information? Before we start Did anyone ever use edu room network before? Yes. Oh, oh Alright, alright, you should turn your phone Edurum Initiatives started in 2003 with six country the technology behind edu room is Based on the IEEE 802.1x Standard and here are Shikof radius proxy server. It is used by student academic academic and university guests and Here is better view of edu room started and expanded throughout the year the years Right now edu room is accessible worldwide So let's talk about the problem in edu room networks Each country in each region has their own provider In Turkey the provider explained how university should set up their internal Network and how client should connect to their edu room network as you can see on the picture This is Turkish Not that it says to able to connect the network client needs to use secure w2 software But in our research we noticed That some universities don't apply that With Google door we can identify Identity identify which university uses PAP in PS2 authentication and as you know PAP In PS2 authentication is not secure because Transmit username and password as clear text Here are some example how misconfigured are shared on university website The problem is even you could set the concept things in advance way It's set to law with security When we ask it some expert they say It is for usable across all smartphone in edu room network The information that is shared on website is so useful to attacker because it contains pattern of the System like if you catch one person you can guess others so here is the look of Internated inter internal configuration of radio server as you can see PAP is there in radio server configuration in internal The second problem for me and for other edu room users We encountered is auto login feature is advised directly on I'm directly and Forced me and enforced other edu room users for connect with out Autolog in auto There are many students with different background some now security and some don't Some are computer geeks some are not and because of useful and easiness Most people choose the enable auto login because when you want to connect the edu room network it is Very difficult. So people select and choose auto-connected option and Now we are talking about how can track tracking? edu room users So before we start on this topic We shall inform you that These informations and these research like these activities is being done for our research So no malicious intent is being done and we will only share anonymous and Informations no users are informed no passwords are included. So this is done for just for the research Yes This is normal probe request and now we will compare normal probe request normal a AP identity Request and we will explain how can track edu room users in normal probe request as you know sent just with my client make addresses as a source and Can you see you can see SSID information in probably probe request and Our devices cannot think location-based. So always send probe request to environment for connected the network when If there is a hacker in environment collect all probe request and obtain some information like make addresses and Who want to connect to? SSID the Okay And in a e app identity request as you see We can obtain just username with surname sometimes and sometimes with Domain name, but so when we obtain the user info this is app identity in the edu room networks and we can Obtain a lot of information at about edu room users with this request So like email username or student ID student or staff University and website and country and city We can obtain all information from a student request in edu room networks This is this is an analyze of my mail that university gave me Here we can see It identify me as a student and give my username that contains my first and last name and Thanks, it for not forgetting putting dots to clarify Clarify where my name and surname starts Let's see another example which is Oxford University on site example We can identify the department with the app identity request as you see You you can see a department information in app If you want to know special and ukes University email pattern, we just Google and find it Here we see a different form of classification. You can find with the Google door and University in University website Yeah, is there any black cat officials here? All right This is that We didn't inch and intentionally did type black at smaller. So just informing you that yeah, and Now Defcon. Yes. I I did use techniques for tracking student and academic over at room with at room Identity request and we do risk we did research in black cat and Defcon and Collect a lot of information about student and academic and we we did found Approximately 15 50 University in Defcon and black at a different And by the way, these are just a unique list. So yes Some students come from the same university like two students three students. So we just filtered it and just uniquely Showed you the universities. So some university has a one student here some of three students and We always filtering the informations So we didn't catch the passwords. So we saw it, but we didn't write it down So just want to clarify it Yes, and now I want to show a Picture about tracking students and if you ask Yourself if you ask yourself, how can Collect information about edu room users. This is answer and if you use extra GPS Trek for tracking user Base a GPS based location you can use some devices and We can collect information about location email username ID university name city and country and Device deep with from manufacturing information as you know in same in probe request You you can collect MAC addresses and resolve first 24 24 bytes for resolve MAC addresses and you can find manufacturing information Okay, thanks now Legendary Go on Hi again My name is Najar my nickname goes with legendary Najar And I work in the same company with Basim at cyber Barricade cyber security and I am just a geek. I am just new on the field and yeah, I work a lot to rise my Potential and try to learn many things as possible and I like is I don't like SQL I hate it. Yeah, and I like mmrpgs Black Desert online so yeah So basically when we remind you again When we obtain the information the app identity we saw the username, right? So before the ad that clarifies who is the student or the stuff? So Some universities uses the student names stuff name Some users some university users school numbers and we We found in Turkey that some Universities show or sometimes the social security number as well. So that's the most important thing about this So even you don't catch the password, which is not our main idea here This is very critical information So with that information we can use Google doc to find if a university shared anything about this And if there is a username or specific name, we can Google it and find their Social accounts and then the things happens. So we noticed that in our research That students likely to use the same passwords On their social accounts as well. So our only applications is done in Turkey So we didn't do anything in US if any feds around here. So yeah So in our example, we just Google doc as you see There is a link that is shared by the university so we can identify Sometimes the user's school number or if you don't have the name we just Research about the school number and we found the person's name. So basic Google doc open source intelligence We find our target and We are testing the passwords on their social accounts and yeah, usually worked and Let's say like we use VPN for precaution and like LinkedIn Instagram catch us like said, this is very suspicious. So they didn't let us in but we Can verify that they didn't say oh password is wrong. So yeah so When we can do this in automatically way We can create a map like some other tools like use that To research on internet. So in a durum We have the emails emails the username sometimes the school numbers and when we collect is all we can Connect all the students with each other. For example on this map like on the top North and the west students like they have they share the same city They are from same city, but they are not on the same university. So you can identify this or if they are on the same University, but name not same city you can identify this and create a map of students and stuff and We didn't input this but I want to mention that if your password is catch Especially for the staff members like professors It's very critical because you'll likely to share your Papers with each other like maybe in your same university colleagues or Separate university colleagues. So when you do it is not public research like I Malicious people can catch that from your email because what we noticed it That university emails doesn't do security check For example, when I try to log in to Gmail with VPN, it says oh this looks suspicious But in university mails, they don't say that so I can easily log in if I catch your password And then I can do whatever I want. So find Where you write whom you speak and if there is a PDF file attached in your mails, I can download it and For more I can use your email as a phishing. So yeah So when we want to create a profile of the edum user Like we can either like Analyze their passwords as well because some universities do a classical pattern Like for instance in my university, they just gave me a random patent number and every Students have that so when I collect all of them I can like create a rule for example hasket rule and run it and Imagine that like like I mentioned before they use the same password on social accounts other email accounts Like Gmail Outlook and forms as well. Maybe student forms. Maybe Like business forms or gaming form doesn't matter and yeah gaming accounts and streaming platforms like Twitch or Mix and The other critical part is your ad room account is synced with your School account. So when you want to connect to the room you use your school account as well So it is the same. So when I catch your password and username from the Edurum app identity. I now have your old school portal Connections for example, like I mentioned email, but maybe you have a stuff specific stuff Portals as well. So I can access that if you are an important Member of the school. So yeah, when I have the password, it is all applied same password on on the campus So this is very critical as well. And if you have active directory in your school domain Yeah, I can easily access it because some professors like whole day Windows desktops or machines like on their room and bring a Mac maybe with them and Do rtb. So if your machine has an rtb port open like I can connect it and yeah, and maybe at the home as well, so The threat is everywhere. So if For let's I did it I say it before like every university has a different rules different setups And for example, we font is on internet their webpage like they are saying that with your account You can access the internet Like log into your labs and like print something Yeah emails and other possible connection devices and Here says like to clarify that is officially say to the members like we are not saying this by our own It is officially shaped by the universities to students and here you can say that they have a specific Internal network wireless network called IIT secure So it's not called it room, but used by the same ID and password and they say use it room if you go on the Foreign university or another university to access the internet But this shows that same ID and password is being used And here you can see they are warning from this as well like don't use it room Ed room in your own university so But the other threats might be like if I open like an access point that you connected I can do DNS hijacking with your same Authentication when we try to catch it For instance when I access your student portal and I can change your lecture registration on the registration Time so I can mess your academic life schedules and if I catch a staff member and if there is an exam Time I can change students maybe exam notes. So yeah, it is very critical if you think like this And if I want a persistent use a persistent technique, I would rather choose to not Show myself. So I will stay in the ghost And like follow your emails read your emails and follow other staff member students what they do So this is a critical thing because I can include this with Automatical tools to your to my edit driving map. So if your University doesn't Put a security option for login. I can write an Automatical tool and do this by its own so nobody will detect it and here are some examples, for instance, I Accessed I'm a friend of mine. Yeah, but Google said yeah, you need to Show something but on this example, this is a very critical show to show weakness Some universities in Turkey use Gmail as a business portal. So this student never put a security option So I just said here Tamamlandi like it is completed means so I when I clicked it. I just Reached the males. So there is no security behind it even they use Gmail because students doesn't care about their security and yeah This is an Instagram attempt As it says like we detect unusual login. So it prevents and wants to me verify myself and What with what we did is after we for example Find this person we did then open source intelligence research on internet and found the person's Real gmail address we could access it with the same password, but it says again, you need to verify yourself and As you see there is a on the first option tap yes for on your mobile phone on the tablet And for the prank I just sent always this option and wait if the user might click yes But he never did so yeah and another thing on the business side like students Maybe like nerd like myself don't usually care about LinkedIn But some other departments care or students So yeah, it is very critical social platform as well for official business deals like business talks And yeah, we could access the with the same password for LinkedIn as well But like I said LinkedIn Yeah, blocked us as well And this is another thing very critical as I said student portals so We accessed a student portal and there was a student picture as well like some portals Don't show it but some portals show it so it is very informed Important information for the malicious person. So I blew it or the clinical Places like the picture as well, but yeah to prove it. I put it here And it is very critical as you see there is a like school numbers your social number as well Like what major you have like I have all the critical personal information to identify you who you are What you are what you're doing etc Yeah, as I mentioned before like what can you do more like I said like In progress academic papers, etc And maybe if I am too much malicious like I can release a ransom me with phishing Or if there is a weak point on the network when I try to use our dp like and if the windows has a leak like I can use Share my ransomware on the network like wanna cry So internal security and external security is very important in universities But we see they do not apply most of the time And our recommendation is Do not use a room but basically We would like to remind you that whenever you want whenever you are just never checked This auto connection settings because it is it shares all the time probe request and leaks your data When if it is a normal personal virus, maybe it is not that much important But still important but not critical like this But if you use an enterprise network like edu room, please always Disable the automatic login Because it shares all your information and trust me Because of this misconfiguration It is possible to catch your school passwords all the time So it is because the misconfiguration. So if you are Staff member in your university Please ask your university change their second phase of authentication from tap to ms shop version two maybe Yeah, the pap is the weak point So ask them to change because yeah, it is always recommended, but we don't recommend it And for furthermore, we are in progress to create our mapping tool Just for research like just it will Record the person username, maybe or email just no passwords Maybe if you we can't put optional we didn't decided yet, but we will share our tool in after future in this repository so Thanks for listening. Mohammed sir Yeah, thanks I want to share another threat before game before over and If you collect email addresses with If if you create a fake access point with host apd or host apd mana or another tools You can collect information And user always use pap and you can Catch your password and You can collect email addresses if you collect email addresses You can send phishing for Spray malware or another Thank you so much Thank you Don't use edu room networks And learn turkish for learn secret information