It turns out, that was exactly what I had done on my Chromebook. I had connected it to the 802.1x network without validating any certificates.
I don't know how to install a new certificate into a Chromebook and neither, apparently does DigiCert. Their page on How to Install an SSL Certificate covers everything but.
Fortunately, I was able to discuss this with Luiz Eduardo who ran the DEF CON NOC (Network Information Center). In English, this means he ran the DEF CON network, heading up a team of about a dozen volunteers.
Eduardo has been going to DEF CON since 2001. In the beginning, he said, there was a single open network built with ad-hoc consumer equipment. At some point, the conference needed to get serious about its network and they purchased professional equipment. DEF CON 23 employed about 50 Aruba Access Points and the network was run by an Aruba 7210 controller. This was the third year that Eduardo headed up the networking group.
This years Wi-Fi certificate problem stemmed from the fact that their RADIUS server had its certificate signed by DigiCert (in prior years DEF CON had used a different Certificate Authority). For some reason, Android devices could not validate the certificate. At first, Eduardo's team offered instructions for installing both a root certificate for DigiCert and the RADIUS server certificate but, in the end, they couldn't get this working on Android.
After the conference, I found that an Android 4.4.2 device had three certificates for DigiCert in its root store (Settings -> Security -> Trusted Credentials) and an Android 5.1 device had eight (same click trail). According to their website, DigiCert has 10 root certificates.
I asked Google about this and received no response. DigiCert acknowledged my emails, but has not offered an explanation about what went wrong.
My Chromebook was able to get on the WPA2-Enterprise network only when it was configured to bypass certificate checking. The danger in that, Eduardo explained, was that I might connect to an evil twin network. With all the WiFi Pineapples around, this was not a good idea.
Just as with HTTPS, the certificate provided by the RADIUS server, lets a Wi-Fi client validate the identity of the server. Without this validation, a DEFCON attendee can create a Wi-Fi network, give it the same name as the secure network, and trick someone into connecting to it. WPA2 would still be providing over-the-air encryption, but that would be meaningless while connected to a malicious network.
WPA2-Enterprise networks can only defend against evil twins if the client is configured correctly. My Chromebook was not.
The best defense is turning off Wi-Fi when not in use. After spending a week at security conferences, I will never leave home with Wi-Fi enabled on any device I'm carrying.
Next time, the main defensive tactic that Eduardo and his team employed to protect the DEF CON network.
Sign up for CIO Asia eNewsletters.