top of page
What is WPA3? And some gotchas to watch out for in this Wi-Fi security upgrade

By Eric Geier (Our Owner & Lead Wi-Fi Consultant)

Originally published on NetworkWorld

The Wi-Fi Alliance has introduced the first major security improvement to Wi-Fi in about 14 years: WPA3. The most significant additions to the new security protocol are greater protection for simple passwords, individualized encryption for personal and open networks, and even more secure encryption for enterprise networks.

The original Wi-Fi Protected Access (WPA) standard was released back in 2003 to replace WEP, and the second edition of WPA came the year after. The third edition of WPA is a long-awaited and much-welcomed update that will benefit Wi-Fi industry, businesses, and the millions of average Wi-Fi users around the world—even though they might not know it.

WPA3 was announced in January and made official with the June launch of the Wi-Fi Alliance’s certification program for WPA3-Personal, which provides more individualized encryption, and WPA3-Enterprise, which boosts cryptographic strength for networks transmitting sensitive data. Along with these two deployment modes, the Wi-Fi Alliance also unveiled Wi-Fi Easy Connect, a feature that’s supposed to simplify the process of pairing Wi-Fi devices without displays, such as IoT devices; and Wi-Fi Enhanced Open, an optional feature that allows for seamless encryption on open Wi-Fi hotspot networks.

Addressing WPA2 shortcomings

The WPA2 protocol with the Advanced Encryption Standard (AES) certainly patched some security holes from the original WPA, which used the encryption protocol Temporal Key Integrity Protocol (TKIP). And WPA2 was considered much more secure than the long-dead WEP security. However, WPA2 still had significant vulnerabilities that have emerged over the past decade.

The ability to crack the WPA2-Personal passphrase with brute-force attacks – basically guessing the password over and over until a match is found – is a critical vulnerability of WPA2. Making the problem worse, once hackers captured the right data from the airwaves, they could perform these password-guessing attempts off-site, making it more practical for them. Once cracked, they could then decrypt any data they captured before or after the cracking.

Furthermore, the complexity of the network’s WPA2-Personal passphrase had a correlation to the complexity of cracking the security. Thus, if the network was using a simple password (as it’s assumed the majority do), then cracking the security was easier.

Another major vulnerability of WPA2-Personal, particularly on business networks, is that a user with the passphrase could snoop on another user’s network traffic and perform attacks. Although the enterprise mode of WPA/WPA2 provides protection against user-to-user snooping, it requires a RADIUS server or cloud service to deploy the enterprise mode.

Arguably the worst deficiency of Wi-Fi since its inception is the lack of any built-in security, encryption, or privacy on open public networks. Anyone with the right tools could snoop on users connected to Wi-Fi hotspots in cafes, hotels, and other public areas. This snooping could be passive, like just monitoring websites visited or capturing unsecured email login credentials, or active attacks, like session hijacking to gain access to a user’s website login.

WPA3-Personal provides more secure and individualized encryption

WPA3 provides improvements to the general Wi-Fi encryption, thanks to Simultaneous Authentication of Equals (SAE) replacing the Pre-Shared Key (PSK) authentication method used in prior WPA versions. This allows for better functionality so WPA3-Personal networks with simple passphrases aren’t so simple for hackers to crack using off-site, brute-force, dictionary-based cracking attempts like it was with WPA/WPA2. Of course, it will still be just as easy for someone to guess a very simple password when they’re attempting to directly connect to the Wi-Fi with a device, but that’s a less practical cracking method.

The encryption with WPA3-Personal is more individualized. Users on a WPA3-Personal network can’t ever snoop on another’s WPA3-Personal traffic, even when the user has the Wi-Fi password and is successfully connected. Furthermore, if an outsider determines the password, it is not possible to passively observe an exchange and determine the session keys, providing forward secrecy of network traffic. Plus, they can’t decrypt any data captured prior to the cracking either.

Wi-Fi Easy Connect is an optional feature announced recently that will likely be seem with many WPA3-Personal devices, which may replace or be used in addition to the Wi-Fi Protected Setup (WPS) feature that came with WPA/WPA2. Wi-Fi Easy Connect is being designed to make it easier to connect display-less and IoT devices to Wi-Fi. This may include a button method similar to WPS, but may also add additional methods, like scanning a QR code of the device from a smartphone in order to securely connect the device.

WPA3-Enterprise targets large-scale Wi-Fi

For WPA3-Enterprise, there is optional 192-bit security added for even better protection. This may be a welcomed feature for government entities, large corporations, and other highly sensitive environments. Depending on the specific RADIUS server implementation, however, the 192-bit security mode in WPA3-Enterprise may require updates related to the EAP server component of the RADIUS server.

Wi-Fi Enhanced Open delivers encryption for public networks

One of the greatest improvements the Wi-Fi Alliance has made is Wi-Fi Enhanced Open. It allows the Wi-Fi communications of open networks (those without any passphrase or password) to be uniquely encrypted between the access point and individual clients, which is based on Opportunistic Wireless Encryption (OWE). It uses Protected Management Frames to secure the management traffic between the access point and user devices as well.

Wi-Fi Enhanced Open prevents users from snooping on each other’s web traffic or performing other attacks, like session hijacking. It does all this in the background, without the users having to enter any password or do anything different than simply connecting like we’ve been used to on open networks.

Although Enhanced Open is actually not officially a part of the WPA3 specification, it will likely be added in products at the same time of WPA3. It is an optional feature for vendors to include in their products.

 

Furthermore, the support of the un-encrypted legacy open connections is also optional. So, there’s a chance some AP and router vendors in the future may force the use of Wi-Fi Enhanced Open (or have it turned on by default), if WPA3 isn’t being used.

WPA3 adoption may take years

As for timing, widespread adoption of WPA3 won’t happen overnight. A few Wi-Fi devices supporting WPA3 should begin appearing by the end of 2018, but WPA3 support is still an optional feature and may not be mandatory for Wi-Fi Alliance certification for up to two years. Some vendors might optionally release software updates with the WPA3 capability to existing products, but there’s no guarantee. Also, it’s important to note that some WPA3 functionality may require a hardware update in products.

In addition, it may take years for consumers and businesses to upgrade.

Even if a user buys a WPA3-capable laptop or smartphone, keep in mind that the network must support WPA3 in order to obtain any of the security improvements, although the WPA3 device will still be able to connect to WPA2 networks.

At home, a user has control of the network and could choose to upgrade the router and devices to WPA3. However, the cost involved for larger networks may mean a very long adoption period for WPA3 by businesses and enterprises. This could also be the case for even small public Wi-Fi hotspots as well, since wireless internet is usually a non-revenue amenity. So, security conscious users who always uses a VPN connection when on public networks will likely have to keep the VPN connection for a few years.

WPA3-Personal provides a transition mode to allow for gradual migration to a WPA3-Personal network while still allowing WPA2-Personal devices to connect. However, the full benefits of WPA3-Personal are only realized when the network is in WPA3-only mode. The benefits that are lost and security impact when in the transition mode are unknown at this point; this could potentially be one reason some hold off on WPA3 network deployment, until more WPA3 end user devices are in the market.

Potential Wi-Fi Enhanced Open limitations

Another issue to consider with Wi-Fi Enhanced Open is that it may give some users a false sense of security. It’s important to understand that although users receive individualized encryption to help protect against eavesdropping on their traffic, it’s still not full security. Users aren’t authenticated like they are on a WPA3 network, so users are more vulnerable than if connecting to their private network at home, work, or school for instance.

When using a Wi-Fi Enhanced Open network, keep in mind that any open network shares on the user devices may still be open for users to connect to. Given that the access is not password-protected, it’s also safe to say that Wi-Fi Enhanced Open won’t have any impact on helping to prevent fake honeypot networks either.

Right now, most Wi-Fi devices don’t clearly indicate the type of Wi-Fi security that’s enabled on the network. This could be an issue with Wi-Fi Enhanced Open, as even for users with a supported device it’s not easy to determine if third-party networks, like public hotspots, have the protection enabled. This will be up to the device vendors and operating systems to how they might better display the security capabilities of networks. For instance, we hope they would make it clearly noticeable if networks have Wi-Fi Enhanced Open enabled and then have a warning like some already do for open networks without any security.

See our Full List of Articles Here

bottom of page