UNLV’s New SecureW2 WiFi Feature Spies on You, (Linux, Mac, iPhone, Windows, Android)

It submits your device’s forensically identifiable information without your permission

Linux users beware. Although almost all students of UNLV should be aware. That the new UNLV’s  Eduroam SecureW2 Wi-Fi system, meant to replace UNLV-Secure’s WPA2-MGT network, is actually secretly submitting your personal identifiable information to the cloud for SecureW2.com

https://cloud.securew2.com/login?1

I’ll try my best to break it down to technically uncertain folks.

Device ID numbers such as your MAC address, and your UUIDs for your hard disks, is what ties your device, uniquely to YOU. Like a fingerprint. If you were caught hacking at UNLV’s network, then they can instantly trace it back to you if you fail to change your MAC address. In the event that your hard disk is confiscated, then that collected UUID is used against you in court.

It also attempts to pull your wireless card’s permanent MAC address and then report it in the XML files that are being exported in encrypted and encoded form, base64 over SHA1. In other words, your REAL burned-in MAC address. If you used MacChanger or manually changed the address yourself, you will NOT be able to connect again.

enumeratesWIFIMACAddresses

Then encrypts the data using the outdated SHA1 algorithm and then remotely sends it to

http://schemas.securew2.com/paladinRequest

It pulls your unique laptop device ID, that forensically ties your Wi-Fi device, directly to you and then hashes it  with a six digit key using urandom(6).

getsDeviceUUIDsMacAddrsAndEncryptsThemSHA1

Fortunately, the program failed to run completely, and left behind a papertrail that showed it collected MY information, but failed to submit it.

After what I assumed was a safe and honest way of implementing WPA2-MGT and eduroam mobile hotspots, I discovered some incriminating things.

1. Enumeration of your unique device identifiers, both NIC MAC addresses and hard disk uuids

2. A static PEM public certificate weakly encrypted via SHA1 and Base64 encoding

3. A broken actions.py module with a poorly designed ActionFactory Class Object

4. A C/Cython binary that holds key methods of implementing the decryption of the assymetric key, which stores values in critical memory offsets.

The .run file is a shell script wrapper combined with Python methods compressed into mislabeled tarballs and a singular compiled binary, that the developers have forgotten to obfuscate the name of a critical function.

As you can see, the Linux version enumerates your exact Linux version and kernel information using the ‘uname -a’ command.

collectsUserHostnameAndLinuxVersion

After dissecting the SecureW2.run file, into a..

1. Shell script
2. Binary compiled in C/Cython with the ELF headers removed
3. Multiple Python modules

I located these interesting options

collectsUserIdentityOpts

Here is what it is about to submit to the Paladin SecureW2 Cloud.

mightasWellBanMe

Among the things it collects, is your operating system information, family, exact build version, and architecture.

OIT has done a disservice to UNLV’s Student Body by endangering the public with collection of personal forensic identifiers and recklessly sharing a single credential that can be extracted with anyone that can use binwalk, tar, grep

In all I consider this a foolish display of non-utilitarian design.

To rip it apart the way I did  to uncover this…

strings Secure*.run -n 10
binwalk -AB SecureW2_JoinNow.run 
binwalk -E SecureW2_JoinNow.run 
binwalk --dd='.*' Secure*.run
cd _SecureW2_JoinNow.run.extracted/
file 0
chmod 400 -R ./
strings 0 -n 10
gzip -d SecureW2_JoinNow.tar.gz 
mkdir tar
mv SecureW2_JoinNow.tar tar && cd tar/
gzip -d SecureW2_JoinNow.tar.gz 
tar -xf Sec*.tar

 

This is what the encrypted SHA1 over base64 encoded output looks like

base64SHA1Output

reportsOSArchBuild

The exact IP address doesn’t matter, unless used outside of UNLV as Eduroam is a “mobile hotspot”. Otherwise, you’ll be getting a generic local IP address in their IPSec VPN set in transport mode and you’ll be having a public IP of 131.216.0.0/16

Hybrid-Analysis’s report on a University of Maryland Equivalent

Interestingly, Hybrid-Analysis’s free online dynamic analysis engine reports a U of M equivalent as malware.

https://www.hybrid-analysis.com/sample/ed66cb71710490da357e7a7fb423cc8aa5b9cd8fc6f80bdc80147fff1dd8ad9e?environmentId=100

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s