It submits your device’s forensically identifiable information without your permission
Linux users beware. Although almost all students of UNLV should be aware. That the new UNLV’s Eduroam SecureW2 Wi-Fi system, meant to replace UNLV-Secure’s WPA2-MGT network, is actually secretly submitting your personal identifiable information to the cloud for SecureW2.com
I’ll try my best to break it down to technically uncertain folks.
Device ID numbers such as your MAC address, and your UUIDs for your hard disks, is what ties your device, uniquely to YOU. Like a fingerprint. If you were caught hacking at UNLV’s network, then they can instantly trace it back to you if you fail to change your MAC address. In the event that your hard disk is confiscated, then that collected UUID is used against you in court.
It also attempts to pull your wireless card’s permanent MAC address and then report it in the XML files that are being exported in encrypted and encoded form, base64 over SHA1. In other words, your REAL burned-in MAC address. If you used MacChanger or manually changed the address yourself, you will NOT be able to connect again.
Then encrypts the data using the outdated SHA1 algorithm and then remotely sends it to
It pulls your unique laptop device ID, that forensically ties your Wi-Fi device, directly to you and then hashes it with a six digit key using urandom(6).
Fortunately, the program failed to run completely, and left behind a papertrail that showed it collected MY information, but failed to submit it.
After what I assumed was a safe and honest way of implementing WPA2-MGT and eduroam mobile hotspots, I discovered some incriminating things.
1. Enumeration of your unique device identifiers, both NIC MAC addresses and hard disk uuids 2. A static PEM public certificate weakly encrypted via SHA1 and Base64 encoding 3. A broken actions.py module with a poorly designed ActionFactory Class Object 4. A C/Cython binary that holds key methods of implementing the decryption of the assymetric key, which stores values in critical memory offsets.
The .run file is a shell script wrapper combined with Python methods compressed into mislabeled tarballs and a singular compiled binary, that the developers have forgotten to obfuscate the name of a critical function.
As you can see, the Linux version enumerates your exact Linux version and kernel information using the ‘uname -a’ command.
After dissecting the SecureW2.run file, into a..
1. Shell script 2. Binary compiled in C/Cython with the ELF headers removed 3. Multiple Python modules
I located these interesting options
Here is what it is about to submit to the Paladin SecureW2 Cloud.
Among the things it collects, is your operating system information, family, exact build version, and architecture.
OIT has done a disservice to UNLV’s Student Body by endangering the public with collection of personal forensic identifiers and recklessly sharing a single credential that can be extracted with anyone that can use binwalk, tar, grep
In all I consider this a foolish display of non-utilitarian design.
To rip it apart the way I did to uncover this…
strings Secure*.run -n 10 binwalk -AB SecureW2_JoinNow.run binwalk -E SecureW2_JoinNow.run binwalk --dd='.*' Secure*.run cd _SecureW2_JoinNow.run.extracted/ file 0 chmod 400 -R ./ strings 0 -n 10 gzip -d SecureW2_JoinNow.tar.gz mkdir tar mv SecureW2_JoinNow.tar tar && cd tar/ gzip -d SecureW2_JoinNow.tar.gz tar -xf Sec*.tar
This is what the encrypted SHA1 over base64 encoded output looks like
The exact IP address doesn’t matter, unless used outside of UNLV as Eduroam is a “mobile hotspot”. Otherwise, you’ll be getting a generic local IP address in their IPSec VPN set in transport mode and you’ll be having a public IP of 126.96.36.199/16
Hybrid-Analysis’s report on a University of Maryland Equivalent
Interestingly, Hybrid-Analysis’s free online dynamic analysis engine reports a U of M equivalent as malware.