If you leave your router with no security then anyone can steal the bandwidth, perform illegal actions out of your connection and name, monitor your web activity, and easily install malicious apps in your network. Both WPA and WPA2 are supposed to secure wireless internet networks from unauthorized access.
The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security.
The standards body did not go into many details on the new security suite, but did tease a few upcoming features in addition to closing known security vulnerabilities like KRACK.
WPA3 uses a new 192-bit security suite "aligned with the Commercial National Security Algorithm (CNSA) suite from the Committee on National Security Systems" which is a collection of encryption techniques and algorithms that are reportedly up to the task of maintaining confidentiality on personal, enterprise, and industrial networks. Open Wi-Fi networks in particular will get the biggest boost from moving to WPA3 with support for individualized data encryption so that communication channels between the access point and users' devices are secured on a per-device basis. Personal networks also get improved security in the form of protections to protect users against themselves and maintain strong encryption even when they choose weak passwords. Setting up these security configurations is also being considered, and the Wi-Fi Alliance is promising easier configuration on devices with limited or no displays.
I am looking forward to more information on WPA3 as an update to WPA2 has been a long time coming. WEP has long been a joke and WPA2 has been vulnerable for a while so I hope that WPA3 lives up to its promises! What is not clear from the announcement is that if new hardware will be required or if WPA3 could be implemented through firmware and software updates. End user devices may be trickier to get updates from manufacturers, but perhaps wireless routers and access points can be upgraded without needing to buy new hardware. I suppose it depends on if radio and other hardware like the hardware accelerators / co processors need upgraded to support the new algorithms or not. In any case if you have been eyeing a new Wi-Fi AP or wireless router, maybe hold off for a few months to see how this shakes out.
Four enhancements are mentioned:
- Brute-force resistance. There will be protection against brute-force attacks on Wi-Fi passwords. In future, authentication will be blocked after several unsuccessful attempts. This should, in theory, help to limit the exposure caused by weak passwords.
- IoT support. Wi-Fi devices will be easier to configure using smartphones, a nod to the massive growth in Internet of Things (IoT) hardware using Wi-Fi that could cause major problems if not set up correctly.
- Stronger encryption.. Government and business networks will gain access to “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems.” This implements technical encryption changes required by the US Government.
- Safer public Wi-Fi. The announcement mentions “strengthen[ing] user privacy in open networks through individualized data encryption,” although it’s not absolutely clear what this refers to.
WPA2 uses a four-way handshake that ensures the same password is being used by both clients and access points when they join a Wi-Fi network. that the WPA3 standard will use a new handshake, which won’t be vulnerable to dictionary attacks and brute force attacks.
Further, WPA3 will also feature a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite that will protect government, defense, and industrial networks that have higher security requirements. The new security features will be available later in 2018.