The Wi-Fi Alliance, which certifies Wi-Fi products, has announced WPA3, a major upgrade to Wi-Fi security that will appear in 2018 and take care of known flaws while simultaneously requiring less effort on your part. Among other things, it will eliminate the nasty KRACK vulnerability and secure open Wi-Fi networks. (See “Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be,” 17 October 2017.)
The Wi-Fi Alliance is a trade group that dates back nearly 20 years. It has long been responsible for keeping all the cats in the local wireless networking bag, preventing forks and proprietary standards that have plagued other technologies. Almost 15 years ago, the Wi-Fi Alliance worked to recover from the terrible flaws in its original network encryption standard, WEP, by getting the whole industry to switch to the far more secure WPA2.
WPA2 encrypts traffic passed over the Wi-Fi wireless local area network to prevent anyone without the network passphrase or an enterprise login from being able to decipher the flow of data. On an enterprise network, even devices on the same Wi-Fi network can’t see each other’s data. It’s supposed to work that way on passphrase-only Wi-Fi networks too, like what you have in your home, but flaws in the protocol allow someone with the network’s shared password and a simple cracking tool to access data from other network users.
While the WPA2 standard was largely designed well, it hasn’t changed in 15 years, which is a long time in the security world. Last year, a security researcher discovered a major flaw that he dubbed KRACK. It could allow someone in proximity to a Wi-Fi network to recover certain kinds of otherwise protected data. Major vendors, including Apple, released patches for Wi-Fi adapters and routers, but older hardware that is unpatched or unpatchable remains vulnerable, and the repairs were more bandages than curative surgery.
The new WPA3 fixes the fundamental flaw related to KRACK by replacing the four-way handshake between a Wi-Fi device and a base station that turned out to be vulnerable. Precise details of WPA3’s redesigned method of establishing a secure connection aren’t yet available.
The new WPA3 standard also adds the following:
- Even when a user picks a weak passphrase — like
pass1234— WPA3 will process it without user involvement so that the password can’t be extracted via brute-force attacks that rely on iterating through short, common, and dictionary-based passwords.
- WPA3 provides better security for devices with limited input methods, like printers, to join a network securely. That was supposed to be the job of WPS (Wi-Fi Protected Setup), but it never reached its potential, and the WPS spec has security flaws.
- Encryption key length in WPA3 rises from 128 bits to 192 bits to meet a level of protection required for U.S. government use.
- Joining a password-free network will now securely set up an encrypted connection.
- All connections will now be protected from other users of the same network, something that’s reliably available only with enterprise connections today.
These last two points are a major improvement for public Wi-Fi networks. Unsecured networks are convenient because businesses and institutions don’t have to provide a Wi-Fi password to everyone who walks in. However, eliminating the need for a password also means that users send their traffic across unprotected connections that can be intercepted by anyone nearby with a Wi-Fi sniffer. With WPA3, Wi-Fi providers won’t have to choose between convenience and security.
The Wi-Fi Alliance also said it’s upping its game with WPA2, adding more tests of how WPA2 is implemented by companies to provide better consistency and security.
WPA3 will start appearing in hardware in 2018, but WPA2 will remain available for compatible devices for some time to come — almost certainly for several years, given its installed base. Unfortunately, most devices that run WPA2 likely can’t be updated to WPA3, possibly apart from some more recent devices that were designed with an idea of what hardware features WPA3 would require.
That means that WPA2 will remain the weakest link in Wi-Fi security until WPA3 is supported by every device you use and all the base stations to which you connect. As we saw with the transition from WEP to WPA2, which involved the interim WPA standard, that can be a long process.