WPA3 Wi-Fi Security Update
The first Wi-Fi Protected Access (WPA) standard released in 2003. Now, the Wi-Fi Alliance introduced a major security improvement to Wi-Fi called WPA3. It is the newest one in 14 years. The new security measures aim to protect simple passwords, individualized encryption for personal and open networks, and secure encryption for enterprise networks.
Wi-Fi Alliance & Wi-Fi Protected Access 3
- WPA3-Personal offers more individualized encryption.
- WPA3-Enterprise boosts cryptographic strength for networks that transmit sensitive data.
Along with these two modes, the Wi-Fi Alliance also revealed two other features: Wi-Fi Easy Connect and Wi-Fi Enhanced Open.
- Wi-Fi Easy Connect is meant to simplify the process of pairing Wi-Fi devices without displays.
- Wi-Fi Enhanced Open allows seamless encryption on open Wi-Fi hotspot networks.
Overall, the WPA3 Wi-Fi security standard covers WPA2 shortcomings.
The WPA2 protocol patched some original WPA security holes with the Advanced Encryption Standard (AES). The original WPA used the encryption protocol Temporary Key Integrity Protocol (TKIP). However, WPA2 had vulnerabilities, too:
- Ability to crack WPA2-Personal passphrase by guessing a password over and over until finding a match.
- Hackers could perform password-guessing attempts off-site.
- Hackers could decrypt captured data.
- On business networks, users could snoop on other user’s network traffic and perform attacks.
- Anyone with the right tools could snoop on user connected to public Wi-Fi hotspots.
These snooping acts are passive, such as monitoring websites users visit or capturing secured email login credentials. Active attacks, such as hijacking session, allows hackers to gain access to a user’s website login.
WPA3 uses Simultaneous Authentication of Equals (SAE) to replace Pre-Shared Key (PSK) authentication methods previously used. This update improves general Wi-Fi encryption and makes it difficult for hackers to crack simple passwords using off-site, brute-force, and dictionary-based attempts like they could with WPA/WPA2.
A best practice is to avoid using simple and easy-to-guess passwords. While WPA3 offers better security, there’s still a risk when using a simple password.
Another improvement is that with WPA3-Personal, users cannot snoop on another’s traffic even when they have the Wi-Fi password and a successful connection to the network. Likewise, users cannot passively observe or decrypt data, as users could with WPA2.
This WPA3 certification offers 192-but security for added protection. The feature is for groups such as government entities, large corporations, and other highly secure environments. WPA2-Enterprise, protected against user-to-user snooping with a RADIUS server or cloud service, and WPA3-Enterprise will also likely require updates related to the EAP server component of the RADIUS server.
Wi-Fi Easy Connect
This feature is optional, but it is likely to be associated with WPA3-Personal devices. Easy Connect is designed to make connecting to display-less and IoT devices to Wi-Fi easier. Similar to Wi-Fi Protected Setup (WPS), Wi-Fi Easy Connect with likely include a button method, but also methods like scanning a QR code from a smartphone to securely connect a device.
Wi-Fi Enhanced Open
Enhanced Open is optional and not officially a part of WPA3. However, it will likely be a part of products at the same time as WPA3.
The Wi-Fi Open feature allows encrypted Wi-Fi communications between the access point and individual clients. Enhanced Open is based on Opportunistic Wireless Encryption (OWE).
Other features include:
- Protected Management Frames to secure management traffic between the access point and user devices.
- Prevents users from snooping on other’s web traffic
- Prevents users from performing attacks
- Runs in the background, so users do not have to enter a password
- While this feature is one of Wi-Fi Alliance’s most significant improvements, there are some limitations to consider.
- May give users a false sense of security
- Not a full-security feature
- A user is not authenticated
- Users are more vulnerable than if connected to their private network at home
Things to consider:
- Any open network shares on a user device may still be open for other users to connect to
- Since this network is not password-protected, it cannot prevent fake honeypot networks
Device vendors and operating systems will have to decide how they might better display the security capabilities of this open network. For example, will they make it noticeable if networks have Wi-Fi Enhanced Open enabled? Some open networks do this and then have a warning for open networks without any security, which alerts users with a supported device of third-party networks, like public hotspots, that have the protection enabled.
How long will it take for WPA3 to take effect?
Widespread adoption of WPA3 could take years. By the end of 2018, some WPA3 supporting devices may begin to appear, but since the feature is still optional, the Wi-Fi Alliance may not be able to make it a mandatory feature for a few years.
Likewise, consumers and businesses may take a few years to buy into WPA3 supported devices.
There is no guarantee that some vendors will release these software updates, but it is possible.
Even if a user buys a WPA3-capable laptop or smartphone, the network must support WPA3 to obtain any of the security improvements. These devices could still connect to WPA2 networks, though.
- At home, a user has control of their network
- Businesses and enterprises may take a long time to adopt it because of the cost involved for larger networks.
- Security conscious users that always use a VPN connection when on public networks will likely have to keep the VPN connection for a few years.
The WPA3-Personal certification provides a transition mode for gradual migration to a WPA3-Personal network by still allowing WPA2-Personal devices to connect.
However, users will not know the full benefits of WPA3-Personal until the network is entirely in WPA3-only mode. At this point, the lost benefits and security impact when in the transition mode is unknown.