Students uncover security flaw: backdoor TU Delft email traffic was wide open

The Rector Magnificus receiving an email from Mayor Marja van Bijsterveldt stating her intention to retract the permits for student associations with immediate effect. A student receiving a message from his Director of Education saying that he was expelled because of fraud, or a phishing email sent under the name of the Works Council.

Phishing
During a study project, a group of students discovered that they could connect to the server through which all of TU Delft’s incoming and outgoing email traffic goes without needing to supply their user names and passwords. This meant that they could send internal emails from any @tudelft.nl account and could send emails to people at TU Delft under the name of external contacts, as described in the examples above.

They did have to meet some conditions though. The students assumed that there had to be a link to the TU Delft network, and that Eduroam (the worldwide education wi-fi network) and the TU Delft guest network would permit access.

This meant that external individuals could also take advantage of the lack of authentication. This made the students concerned about large-scale phishing, a form of internet fraud in which criminals obtain personal information such as login details and credit card codes.

Serious concerns
The students immediately shared their findings and concerns with TU Delft’s IT management. In a response seen by Delta, the management wrote that the access was not an error, ‘but is part of the mail service’. “As if it is a normal feature,” said one of the students.

The group approached Delta to push for a solution. They had grave concerns that both internal and external individuals could misuse this security error. This could be in the form of phishing or malicious jokes. “Just think about a first year student receiving an email that he is expelled. There is no end to what could be done.”

It is a reminder of a previous fraudulent activity in which criminals tried to order robot vacuum cleaners and iPads to the tune of EUR 200,000. This incident may have failed, but the group fear that a security leak in TU Delft’s email traffic may leave the back door wide open for other attackers.

Sanctions
The group prefers to remain anonymous for fear of sanctions by TU Delft. Delta has contact with one of them whose name is known to the Editorial Office. IT Director Erik Scherff and Chief Information Security Officer Jérôme Zijderveld are adamant that sanctions are completely out of the question, quite the contrary.

‘The alertness and proactive involvement of the students emphasise the importance of a joint approach to the security of our digital environment’, they write in an email. ‘To safeguard the security and integrity of our digital systems, we invite students and staff members to take an active role in this process. We have a responsible disclosure policy to report any vulnerabilities.’

‘We value the direct reporting by the students and regret the fact that the report was not acted upon sufficiently. It should have been handled differently and we will pay extra attention to this in the future.’

Risk limitation
According to the IT management, the vulnerability had arisen in the ‘distant past’. ‘This makes it possible to send emails from systems such as research centres.’ They say that there is no evidence that it was misused.

The forthcoming email migration to Microsoft 365 will solve the vulnerability permanently. Until then, IT has taken unspecified measures to mitigate the risk of misuse. For security reasons, Delta waited almost two weeks before publishing this article. Students confirm that it is indeed no longer possible to send emails in someone else’s name.