WPA3 Boosts Wi-Fi Security

It’s hard to imagine a world without Wi-Fi. It now moves more than half of all Internet traffic and has become the primary means of connectivity for most organizations around the world. There are more than 13 billion Wi-Fi-enabled devices, which is nearly two apiece for every man, woman and child on the planet. Surveys regularly show that people would give up chocolate, sex, coffee or alcohol before they’d do without Wi-Fi.

With the impending availability of devices that support the new WPA3 security standard, Wi-Fi’s significance as a business-enabling tool will only grow.

Security has always been a sore spot for Wi-Fi networks. As a broadcast technology, wireless is just inherently more vulnerable than wired connections to data theft, eavesdropping and other potential hacks. It doesn’t require much skill, either. There are dozens of Wi-Fi hacking tools and how-to videos available online. In a 2018 Spiceworks poll, 92 percent of IT security professionals reported they are concerned about security vulnerabilities associated with the use of Wi-Fi networks.

The Wi-Fi Alliance recently took a major step to improve security with last year’s certification of the WPA3 protocol. Devices that support the new protocols will feature significant security upgrades, including stronger password protection, more robust authentication, and increased cryptographic strength for both public and private Wi-Fi networks.

Although widespread adoption will take a few years, products featuring the latest version of the Wi-Fi security suite will soon be hitting the market. The Wi-Fi Alliance is currently certifying products that support the standard, and major tech companies are making WPA3-ready products.

It has been a long time coming. WPA3 is the first update to Wi-Fi security protocols in 14 years. The update was in the works for some time, but the process gained urgency in 2017 when researchers publicly disclosed a serious flaw in the previous version, WPA2, that could potentially enable an attacker to see, decrypt, or even manipulate data on the network. Known as KRACK (Key Reinstallation Attack), the flaw allowed attackers to interfere with the initial “handshake” between a device and Wi-Fi router, creating an opening to conduct man-in-the-middle attacks that could expose sensitive data.

WPA3 features a new handshake authentication process that can’t be compromised by KRACK. Known as the Simultaneous Authentication of Equals (SAE), the process uses a much more secure key establishment protocol, which provides stronger protections against brute-force password cracking attempts.

WPA3 also has much stronger encryption. While WPA2 requires a 64-bit or 128-bit encryption key, WPA3 uses 192-bit encryption. Additionally, WPA3 is aligned with the Commercial National Security Algorithm (CNSA) Suite, which delivers the robust levels of security typically used in industrial, military and government applications.

Another enhancement in WPA3 is the Wi-Fi Device Provisioning Protocol (DPP), which improves the process of onboarding devices on a wireless network. The old protocol, Wi-Fi Protected Setup (WPS), was introduced in 2006 and had become susceptible to brute-force password cracking attacks. Using readily available tools, hackers could crack a WPS PIN in just a few hours. DPP instead uses QR codes or NFC tags to perform device authentication without a PIN or password.

The WPA3 standard is not yet mandatory, so wireless devices will maintain interoperability with WPA2 through a transitional period of several years. During the transition period, you can still boost security by applying patches that fix the KRACK vulnerability, and by rolling out regular software updates and patches for all wireless devices — including employee-owned devices. However, all organizations should start planning now to eventually upgrade to devices that support WPA3.