The non-profit, global trade group, the Wi-Fi Alliance, has announced the commencement of the rollout of the new Wi-Fi Protected Access (WPA) protocol WPA3 which should bring improvements in authentication and data protection.
What’s Been The Problem?
There are estimated to be around 9 billion Wi-Fi devices in use in the world, but the current security protocol, WPA2, dates back to 2004. The rapidly changing security landscape has, therefore, left many Wi-Fi devices vulnerable to new methods of attack, fuelling the calls for the fast introduction of a new, more secure standard.
WPA2 Vulnerabilities
For example, WPA2 which is mandatory for Wi-Fi Certified devices, is known to be vulnerable to offline dictionary attacks to guess passwords. This is where an attacker can have as many attempts as they like at guessing Wi-Fi credentials without being on the same network. Offline attacks allow the perpetrator to either passively stand and capture an exchange, or even interact with a user once before finding out the password. Using Wi-Fi on public networks with the current protocol has also left people vulnerable to ‘man-in-the-middle’ attacks or ‘traffic sniffing’.
One key contributor to the vulnerability of using Wi-Fi with the WPA2 standard is the home/business using obvious/simple passwords.
What’s So Good About The New Standard?
The new WPA3 standard has several advantages. These include:
- The fact that it has been designed for the security challenges of businesses, although it has two modes of operation: Personal and Enterprise.
- The equivalent of 192-bit cryptographic strength, thereby offering a higher level of security than WPA2.
- The addition of Easy Connect, which allows a user to add any device to a Wi-Fi network using a secondary device already on the network via a QR code. This makes the connection more secure and helps simplify IoT device protection.
- WPA3-Personal mode offers enhanced protection against offline dictionary attacks and password guessing attempts through the introduction of a feature called Simultaneous Authentication of Equals (SAE). Some commentators have suggested that it ‘saves users from themselves’ by offering improved security even if a user chooses a more simple password. It also offers ‘forward secrecy’ to protect communications even if a password has been compromised.
In Tandem For The Time Being
The current standard WPA2 will be run in tandem with the new WPA3 standard until the standard becomes more widely used.
Protection Against Passive Eavesdropping
In June, the Wi-Fi Alliance also announced the rollout of the Wi-Fi Enhanced Open, a certification program. This provides protection for unauthenticated networks e.g. coffee shops, hotels and airports, and protects connections against passive eavesdropping without needing a password by providing each user with a unique individual encryption that secures traffic between their device and the Wi-Fi network.
What Does This Mean For Your Business?
Wi-Fi security and the security of a growing number of IoT devices has long been a source of worry to individuals and businesses, particularly as the nature and variety of attack methods have evolved while the current security standard is 14 years old.
The introduction of a new, up-to-date standard/protocol which offers greater security, has been designed with businesses in mind, offers more features, and protects the user from their own slack approach to security is very welcome. WPA3 will be particularly welcomed by those who use networks to send and receive very sensitive data, such as the public sector or financial industry.