At the recent Consumer Electronics Show (CES) the Wi-Fi alliance announced WPA3; a new security certification which promises to address the weaknesses of WPA2 and adds a range of much needed enhancements to wireless security.
Wireless security has taken a beating over the years. Back in 2001 WEP (Wired Equivalent Privacy) was cracked and rendered useless. Its replacement WPA had weaknesses identified and was promptly replaced with WPA2. WPA2 held its own for a fair while (14 years), right up until October 2017 when the KRACK vulnerabilities were identified. Although the KRACK vulnerabilities could be mitigated with vendor patches, for me it highlighted the fact that WPA2 is a bit long in tooth and in need of an update. In total there are 4 new features in the new WPA3 certification which weren’t in WPA2, which are detailed below.
Shake on it...
First up there are enhancements that address the weaknesses in the 4-way handshake which the KRACK exploit utilised to execute. Mathy Vanhoef, one of the researchers behind the WPA2 KRACK vulnerability, speculates that the handshake process being utilised is most likely SAE (Simultaneous Authentication of Equals) also known as Dragonfly.
Enhancements to the 4-way handshake process aim to “deliver robust protections even when users choose passwords that fall short of typical complexity recommendations”. As a result this means that a brute force dictionary attack will no longer work. This is great news as although the KRACK exploit required a special set of circumstances, it’s good to know that a known exploit has been addressed and mitigated, as well as alleviating the age old problem of weak PSK’s (Pre Shared Key's) being used by the less tech savvy users out there.
Publicly private...
Next up, we finally have a secure way of connecting to public Wi-Fi networks without passing traffic over an unencrypted connection. Currently when we connect to a public Wi-Fi network, we are sending all traffic over the connection in clear text and as such this traffic can be intercepted. Although the increase in HTTPS enabled websites has helped with this issue, there are still sites which use HTTP therefore are still susceptible to traffic interception. WPA3 addresses this with “individualised data encryption”. What this means is that even though you will connect to a public hotspot without entering a passphrase (PSK), the connection between your device and the access point will be encrypted.
Secure thingies...
The third feature added to the WPA3 certification addresses securely connecting those pesky IoT devices without displays. This usually entails the use of a smartphone app to enter your network details and is generally a lot more painful than it needs to be. WPA3 will “simplify the process of configuring security for devices that have limited or no display interface” (Wi-Fi Alliance). This feature is likely to be similar to the current WPS (Wi-Fi protected Setup) feature we have at the moment, whereby the device is connected to the network by pushing a button on the device and your WPS enabled router or by entering a PIN number. WPS vulnerabilities were identified back in 2012, so a secure alternative is very much needed.
National Security...
The fourth and final feature announced by the Wi-Fi alliance as part of the new WPA3 certification is the addition of “192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems”. Feel free to switch off at this point, this feature is of no interest to home / enterprise users and was added at the request of the US government (CNSS Committee on National Security Systems) to provide stronger encryption for their critical wireless systems.
Roll out...
According to the Wi-Fi alliance we will start seeing WPA3 certified devices later this year. As with WPA2 certified devices, any vendors wishing to sport the Wi-Fi certified logo must apply for and be granted the certification. With this in mind it is doubtful that current wireless devices will be updated to support WPA3 and far more likely that the next wave of devices will be put through the certification process. That being said, client devices will also need to be certified in the same way to be able to take advantage of the new certification.
Although it may take a fair while for WPA3 to become the norm, we are at least on our way to a more secure wireless world!
