Recently, the news of the Key Reinstallation Attack (KRACK) vulnerability allowing the decryption of WPA2 messages being the key exploit was announced. This may open up additional vulnerabilities toward a wireless client and the security and integrity of their browsing traffic.
KRACK is an attack against Wi-Fi infrastructure and clients, rather than against a specific wireless network. This means that eduroam is no more or less affected than any other Wi-Fi network, and there is nothing you need to specifically do for eduroam that you wouldn’t already need to do for any other Wi-Fi network.
While there are no reports of this being actively exploited, the upside is that this is not a remote attack so, it can only happen within proximity of vulnerable access points and clients. This is not a service affecting issue and eduroam authentication infrastructure will continue to function normally and your login credentials (username/password or certificate) continue to be securely transmitted.
Legacy WPA & TKIP networks continue to be deprecated for a multitude of reasons and you shouldn’t re-enable this as it isn’t a solution to this problem and will cause issues. The best practice is currently (and remains) WPA2 + AES-CCMP.
Additional information on this vulnerability can be found at SANS and Mojo Networks. Thanks to SURFnet, AARNet and TENET for information used in creating this advisory.