Wi-Fi security overhaul coming with WPA3

Nearly 14 years after it ratified WPA2 (Wi-Fi Protected Access 2), the Wi-Fi Alliance has given the world a peek at what might be coming next for wireless security.

Perhaps unsurprisingly called WPA3, the draft standard’s announcement at the annual CES Show was brief, but offered clues as to how it might address WPA2’s known problems.

The main message is that under WPA3, security will be baked deeper into wireless configuration, making it harder to misconfigure or to avoid.

Four enhancements are mentioned:

  • Brute-force resistance. There will be protection against brute-force attacks on Wi-Fi passwords. In future, authentication will be blocked after several unsuccessful attempts. This should, in theory, help to limit the exposure caused by weak passwords.
  • IoT support. Wi-Fi devices will be easier to configure using smartphones, a nod to the massive growth in Internet of Things (IoT) hardware using Wi-Fi that could cause major problems if not set up correctly.
  • Stronger encryption.. Government and business networks will gain access to “a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems.” This implements technical encryption changes required by the US Government.
  • Safer public Wi-Fi. The announcement mentions “strengthen[ing] user privacy in open networks through individualized data encryption,” although it’s not absolutely clear what this refers to.

Speculating, the last enhancement could be a tightening up of the perennial problem of public Wi-Fi networks (e.g. airports, coffee shops, public transport) that are free to use without a password. WPA3 might provide an automatic system for allowing clients and routers to negotiate encrypted connections even on open networks.

If so, this system could also be used to address a cryptographic weaknesses of password-protected Wi-Fi networks. At the moment, anyone who knows the Wi-Fi PSK (Pre-Shared Key, commonly called the “network password”) and who intercepts your traffic at the moment you connect can recover your session key and decrypt all your subsequent traffic.

A password to get on the network combined with an unsniffable unique password for each user would be a useful security improvement.

Presumably, WPA3 will also avoid the sort of implementation flaws in WPA2 that led to the KRACK attack of October 2017.

That flaw was addressed with updates to WPA2 equipment, without any new hardware, so it’s possible that some of what’s in WPA3 might also be addressable with incremental updates to WPA2, even in devices that can’t support WPA3 outright.

The point of a “WPA3 Certified” sticker on products would be to make it easier for buyers to understand what security they were gaining from new equipment – a sort of easy-to-understand line in the sand.

But it’s one thing to promote a new specification, another to persuade organisations and individuals to buy new equipment to support it.

This could unfold over years, which means that WPA2 security will be with us for a long time.

We might have to get used to the reality of a world of two-level wireless security – strong WPA3 and (as research undermines it) weakening WPA2.