In October 2017, researchers found something shocking; they discovered a WiFi exploit that affected all modern WiFi networks utilising WPA and WPA2 security encryption.
The exploit allowed hackers to eavesdrop on traffic between computers and wireless access points using the two standards, which was all of them. The news hit the WiFi security world like a ton of bricks and kickstarted in earnest discussions around a new WiFi standard for a new generation of internet security.
All of which brings us to 2018, and the news that the WiFi Alliance, the body of companies which includes Apple, Intel, and Microsoft who certify WiFi devices and set standards, has finalised WPA3, a new and heavily enhanced standard to replace WPA2. However, it isn’t the October exploit which WPA3 aims to solve (that issue has been solved on a manufacturer level) but to bring up to date a 13-year-old standard with new security technologies and new features.
The new protocol brings improvements in authentication and encryption whilst maintaining the configuration of wireless networks.
Perhaps most importantly, WPA3 will now feature 192-bit encryption along with a 48-bit initialization vector. This will bring the security standard up to the highest levels, making it fit for use in the most stringent security environments, like governments, security contractors or industrial systems.
Another vital feature of WPA3 is the implementation of the Dragonfly protocol (or SAE protocol) which boosts security at the handshake level, offering robust security for those using short, weak passwords. WPA3 also applies individualized data encryption – where every connection between a device and a router is encrypted with a unique key – to further limit the risk of Man-in-the-Middle (MitM) attacks.
That’s a significant boon for those using cloud managed public WiFi solutions like those found in hotels, restaurants, cafes and airports.
There are also new features being implemented to help WiFi devices with limited or no GUI (like smart thermostats) connect easily to the WiFi network. It’s a move designed to help speed the expansion of the Internet of Things (IoT) by improving connection speeds through the WPS button and could prove vital in the years to come.
Clearly then, much of the work in WPA3 is designed to address the continued security issues – both real and perceived – with public and private WiFi connections. However, it’s also worth noting that many of these features have been implemented by manufacturers and service suppliers for a number of years. The new standard merely mandates these features be implemented as standard if they wish to receive the ‘WPA3-Certified’ stamp of approval from the Alliance.
So, what of WPA2? It’s a standard that won’t be retired in the immediate future. Much like how WPA can still be found in operation, WPA2 will continue to be updated and patched as time goes on. The reason? Many businesses and homeowners are unlikely to change their routers on a regular basis, a fact that will leave WPA2 as the most commonly used protocol for some years.