Developments in Wi-Fi Protected Access (WPA) and WPA3.

The world has gone wireless.  Nothing startling there.  We all know that wireless has a ubiquitous presence in our lives today.  It is everywhere.  What should be startling to hear is that the majority of our wireless connections are protected by security protocols that were first introduced back in 2004 or earlier.  That’s 15-year-old technology.  Even more troubling is the fact that many wireless routers still in production today are backwards compatible for WEP, a security protocol introduced in 1999 that is easily cracked with the hacking tools that are readily available today.  In an environment in which we are accustomed to the rapid release of new features, security updates and protocols concerning for our technology, it seems that wireless security has remained relatively stagnant.

The good news is that a next generation WiFi security protocol, WPA3, has been released and it shores up some of the inherent weaknesses of previous WiFi security protocols.   Below we have outlined some of the ways in which WPA3 will better secure your wireless environments. 

Better Password Protection

There is a blaring weakness concerning the use of password protecting digital assets – the human element.  People in general aren’t great at creating secure passwords.  According to the UK’s National Cyber Security Centre, “123456” is the most popular password used in 2019.  The second most popular is not surprisingly “123456789.”  Other popular passwords include “querty”, “superman” and “blink182.”  Hackers are well aware of these popular passwords, which is why they are the first phrases often used in dictionary attacks in which thousands, if not millions, of phrases are thrown at a device until the correct password is discovered.  Because we can’t depend on everyone to make the best passwords, we need some type of security protocol that at least makes it tougher for hackers to launch offline dictionary attacks.  WEP, which was the first wireless protocol, was doomed from the start as the government didn’t see the need back then for the private sector to have access to strong encryption technology.  As a result, WEP is ridiculously simple to crack with tools easily found by a simple web search.

WEP’s successor, WPA2, has been the recommended wireless encryption protocol for more than a decade now.  While it is certainly more secure than WEP, it still has a weakness referred to as the “KRACK” vulnerability, which makes it possible for hackers unlimited attempts at guessing a password.  While longer, complex passwords are fairly safe from a dictionary attack, simpler passwords are highly vulnerable to persistent attacks by a hacker.  WPA3 eliminates the ability of hackers to simply flood a device with unlimited password attempts through the introduction of a new key exchange protocol.   This new protocol, called “Simultaneous Authentication of Equals” (SAE), is more secure in the handling of the initial key exchange and is resilient to offline decryption attacks.  This replaces the Pre-Shared Key (PSK) exchange protocol used by WPA2.  Essentially SAE only allows a single password submission per request.  Of course, a device can initiate unlimited connection requests, but the constant issuing of connection requests for each password submission substantially extends the time of the multiple password guessing process.  As a result, the involved time to hack a password becomes very cumbersome. 

In short, WPA3 protects passwords; good ones and bad ones alike.  While this should not in any way encourage the use of poor password hygiene, for those who don’t put forth the effort to create and enforce secure passwords according to best practices, passwords are safer under WAP3. 

Open-ended No Longer Means an Open Book

A common perception is that security and convenience don’t usually go hand-in-hand.  To make something secure, it usually takes a little more effort.  Such has been the case for open wireless.  Many establishments continue to utilize open 802.11 WiFi, that uses published SSIDs that do not require users to type in a pre-shared key, or password, when trying to connect.  While this makes it convenient for customers of a local coffee shop, airport or hotel, it also sends unencrypted data to the local access point where it can be easily intercepted.  This means that all traffic being sent becomes an open book to a malicious connected party that is using some sort of data sniffing application. The predicament in using a pre-shared key however is how to notify the masses who want to connect what the key is?

This is no longer a problem with WPA3.  With WPA3, unencrypted networks are a thing of the past.  The new protocol introduces Opportunistic Wireless Encryption (OWE).  This technology allows networks that don’t offer passwords and keys to still provide encryption without requiring client devices to have any prior configuration settings.  This is possible through a process called Individualized Data Protection (IDP).  With IDP, traffic is encrypted as soon as a device connects to the wireless network.  In fact, each device receives its own key from the access point even if it has never connected before.  IDP is also useful for password protected networks as knowing the passkey doesn’t give access to the encrypted communication of other devices.

Better IoT Security and Management

A big challenge for businesses and consumers is how to secure their growing number of Internet of Things (IoT) devices.  Many of these devices lack any sort of screen to manage them, and as a result, their security can’t be managed either.  WPA3 introduces a protocol called “Easy Connect” that that makes connecting IoT devices more streamlined and secure.  WPA3 lets someone with admin rights use tablets or phones as dashboards to access the device WIFI configuration settings.  Rather than depend on passwords however, each device will have a QR code.  With your smartphone connected to the network, you can scan the QR code.  Once scanned, the device and the router automatically exchange and authenticate keys.  No more having to constantly enter in passwords each time you want to add a device to your wireless network.

How to Get WPA3

Even though WPA3 has been released, the bad news is that it may be a while longer until you can fully take advantage of it.  While you can purchase wireless routers that come with the new WiFi standard, very few wireless devices are compatible with it.  That’s because WPA3 requires additional CPU capabilities and it will take a year or two for vendors to integrate the technology across all their products.  The important thing is to plan for WPA3 implementation now in order to deploy it quickly once you have the fully compatible hardware.  If you want to learn more about this next-generation technology, or other ways to best protect your wireless environment, please contact HALOCK Security Labs.