It’s been a long time since WPA2 improved Wi-Fi security and the world has changed much in that time.
With the proliferation of IOT (Internet of Things), plus our enabled products and our reliance on technology for even our most mundane day to day tasks (Alexa, Siri, etc.), it’s well past time for another look at the security of our wireless connection to the world.
A majority of homes and businesses rely on a wireless connection. If recent history has taught us anything – where there’s a connection to the web, there is someone trying to get in.
On Monday, June 25th, WPA3 was released by the Wi-Fi Alliance as the new standard for Wi-Fi security. This standard is intended to replace WPA2 which has been the gold standard of wireless security for over a decade. This update is intended to prevent offline password attacks which have plagued WPA2 and the more so the old WEP standard.
Cracking the key
One of the current challenges with WPA2 PSK and WEP is that the keys are static and can, with varying degrees of difficulty, be ascertained offline after capturing a certain amount of data in transit. This led to situations where the keys could be compromised via a dictionary attack, which is a type of password guessing attack where numerous passwords are listed in a file and tested against the data until a key match is found.
While not extremely efficient, it can allow billions of guesses per second. So, given enough time or resources, a key could be discerned.
WPA3 instead takes this paradigm and alters it in a way that that the key is exchanged using the IETF Dragonfly key exchange. This key exchange is referred to as SAE or Simultaneous Authentication of Equals and allows a means of protecting the exchange of the shared password between two devices. As this step needs to be completed over the network, it prevents offline attacks and increases the time required for an attacker to attempt to conduct a dictionary attack against the password.
For users of Wi-Fi in public places such as coffee houses, stores, hotels, etc., there is another improvement with the WPA3 standard by utilizing Enhanced Open. Enhanced Open is a protocol that helps to set up a secure connection between the access point and the end user device by using a unique key. This technology utilizes OWE or Opportunistic Wireless Encryption to encrypt data in transit on these open networks so that even “Open Wi-Fi” will not be wide open for bad actors to watch what is going on.
IOT (Internet of Things)
The final major improvement from WPA3 is in the realm of supporting the Internet of things or IoT. IoT is the networking of all our favorite devices including, thermostats, refrigerators, TVs, etc. To do this, it has a technology billed as “Easy Connect,” which lets you utilize an intermediate device such as a smartphone or tablet to broker and manage the connection and to the network for your devices. This way devices that may lack a screen or have in the past required a direct plugin to a computer to configure before launching on the network, can quickly and easily be deployed.
It is anticipated that some newer devices will be able to be firmware fixed to utilize WPA3 but, likely, you will have to purchase new products to gain access to this security upgrade.
This does not just apply to your routers but the products themselves that connect to the routers. In the interim, most new WPA3 devices will still offer WPA2 support to allow legacy devices to continue to use the network as they always have albeit without the security features available on the newer router.