WiFi Security Update — The WPA3 Protocol
WiFi needs an overhaul in its security protocol, as it is becoming easier to capture encrypted data traffic. WPA3 (Wi-Fi Protected Access 3) is the standard proposed by the Wi-Fi Alliance for certified devices starting in 2018.
This is the third iteration for security encryption of data traffic that uses wireless connections via Wi-Fi products. It is the successor to the much older WEP and more recent WPA2 (Wi-Fi Protected Access 2) protocols, which are found in systems that use Wi-Fi connections.
WPA3 was developed to address the shortcomings of WPA2. While WPA2 (from 2004) improved Wi-Fi security at a time many users began connecting wirelessly to the Internet, it had some flaws.
WPA2-Personal passphrase were prone to brute-force attacks. That means an attacker can take a certain amount of time to try and guess the password to an access point until they succeed. Brute-force attacks use “dictionary attack” techniques that generate various random passwords until they get a match. Hackers can also perform offline brute-force attacks on captured data packets from the network.
The problem is that once the data has been cracked, it can be used to decrypt the sensitive information from packets. Often times the simpler the password a user creates, the easier it is to decrypt the data.
There was a deficiency in the implementation of any built-in security, encryption, or privacy on an open public network. These public networks include schools, libraries and cafes. These are places where you are most likely to have any of your data stolen, because they are public and very open to hacking attacks.
WPA3 introduces the following features to Wi-Fi security:
- Simultaneous Authentication of Equals — This creates a more secure handshake protocol for devices, between the access point and the client. Both the access point and client will verify their authentication and connection on the network.
- Wi-Fi DPP (Wi-Fi Device Provisioning Protocol) — During the handshake, the authorization verification takes place using Wi-Fi DPP. This makes use of registering a device, along with a basic password to access the network. This allows devices to use QR codes or NFC tags as other ways to register on the network. The encryption technique is also upgraded to use GCMP-256 encryption, in place of 128-bit encryption.
- Brute-Force Protection — WPA2 has a lack of built-in encryption and privacy , making it susceptible to brute force attacks. To protect against threats like brute force attacks, it would require the connecting device to authenticate their connection. If the guessing device is successful in finding the password of a user, it will be denied access to the network if they cannot verify their device registration to the access point.
- More Data Privacy — This feature uses individualized data encryption to protect user data. That means that the data will be encrypted regardless of whether the password is weak or strong. WPA3 defined a new handshake that takes weak passwords into consideration.
- Higher Grade Session Keys — WPA3 also supports larger session keys sizes. This uses 192-bit security for enterprise level requirements.
Protected Management Frames (PMF)
WPA3 discussion will not be complete without mentioning PMF. This provides protection against threats like disconnect, honeypot, and evil twin attacks.
According to the Wi-Fi Alliance:
Protected Management Frames enforces the encryption of frames for disconnection, which enables APs and clients to detect forged disconnect frames and ignore them. Furthermore, if an AP reports the detection of attempted forged frames to a network monitoring tool, the network operator can be notified to quickly expose the attacker.
This protects both unicast and multicast management action frames. Unicast management action frames are protected from eavesdropping and forging, while multicast management action frames are protected from forging. This improves the resiliency of networks that run highly confidential mission critical data. WPA3 will require PMF, and nothing less.
Wi-Fi Enhanced Open
With the use of PMF, WPA3 also implements Wi-Fi Enhanced Open. This allows the communications channel of open networks that don’t have any passphrase or password to connect using unique encryption between the access point and client devices, based on Opportunistic Wireless Encryption (OWE). OWE prevents users from snooping at each others data traffic.
Open networks, like the type you find in public places (e.g. government institutions, food courts, cafes, etc.) allow users to connect without the use of a password or passphrase. Security analysts would view this as very insecure, but it makes it easier for clients to have access to the Internet with some form of encryption enabled.
The Enhanced Open feature might give some users a false sense of security. Although users receive individualized data encryption to help protect against attacks, it is not full security. It is only encryption, but not authentication on a WPA3 network. It is more likely to be used for private networks to bridge connections at home rather than enterprise public networks.
Enhanced Open is not an actual part of the WPA3 specification, but it is worth noting its features. It will likely be added along with certified WPA3 Wi-Fi products for additional security features.
One of the major benefits is stronger encryption techniques for data security and privacy. It is going to be the successor to WPA2 moving forward, as newer devices will be implementing, but maintain backward compatibility with current devices. As of July 2020, WPA3 will be mandatory for all the Wi-Fi certified devices in the market.
Adoption in 2022 in not yet widespread, but is growing as newer devices are installed. Eventually it will become the norm, providing overall better security much like how WPA2 was implemented.