Wireless security is extremely important. The vast majority of us connect a mobile device to a router at some point during each day, be that smartphone, tablet, laptop, or otherwise. Furthermore, Internet of Things devices connect to the internet using Wi-Fi.
They’re always on, always listening, and always in dire need of additional security.
That’s where Wi-Fi encryption steps in. There are several different ways to protect your Wi-Fi connection. But how do you know which Wi-Fi security standard is best? Here’s how.
Wi-Fi Security Types
The most common Wi-Fi security types are WEP, WPA, and WPA2.
WEP vs. WPA
Wired Equivalent Privacy (WEP) is the oldest and least secure Wi-Fi encryption method. It is laughable how terrible WEP is at protecting your Wi-Fi connection. Here’s why you should not use WEP Wi-Fi encryption.
Furthermore, if you’re using an older router that only supports WEP, you should upgrade that too, for both security and better connectivity.
Why is it bad? Crackers figured out how to break WEP encryption, and it is easily done using freely available tools. In 2005, the FBI gave a public demonstration using free tools to raise awareness. Almost anyone can do it. As such, the Wi-Fi Alliance officially retired the WEP Wi-Fi encryption standard in 2004.
By now, you should be using a version of WPA.
WPA and WPA2 Definitions
Wi-Fi Protected Access (WPA) is the evolution of the insecure WEP standard. WPA was only a stepping stone to WPA2.
When it became apparent WEP is woefully insecure, the Wi-Fi Alliance developed WPA to give network connections an additional layer of security before the development and introduction of WPA2. The security standards of WPA2 were always the desired goal.
At the current time, the vast majority of routers and Wi-Fi connections use WPA2. At least, they should do because even with the encryption standards vulnerabilities, it is still very secure.
However, the latest upgrade to Wi-Fi Protected Access—WPA3—is firmly on the horizon.
WPA3 includes some important upgrades for modern wireless security, including:
- Brute Force Protection. WPA3 will protect users, even with weaker passwords, from brute-force dictionary attacks (attacks that attempt to guess passwords over and over again).
- Public Network Privacy. WPA3 adds “individualized data encryption,” theoretically encrypting your connection to a wireless access point regardless of password.
- Securing the Internet of Things. WPA3 arrives at a time when Internet of Things device developers are under enormous pressure to improve baseline security.
- Stronger Encryption. WPA3 adds much stronger 192-bit encryption to the standard, drastically improving the level of security.
WPA3 still hasn’t hit the consumer router market, despite an initial timeline suggesting it would arrive some time toward the end of 2018. The jump from WEP to WPA, to WPA2 took some time, so it isn’t anything to worry about at the current time.
Furthermore, manufacturers must issue backward compatible devices with patches, a process that can take months, if not years.
WPA vs. WPA2 vs. WPA3
There are three Wi-Fi Protected Access iterations. Well, the third one isn’t quite with us, but it will soon arrive on your router. But what makes them different from one another? Why is WPA3 better than WPA2?
WPA Is Inherently Vulnerable
WPA was doomed from the outset. Despite featuring much stronger public key encryption, using 256-bit WPA-PSK (Pre-Shared Key), WPA still contained a string of vulnerabilities it inherited from the older WEP standard (both of whom share the vulnerable stream encryption standard, RC4).
The vulnerabilities centered on the introduction of the Temporal Key Integrity Protocol (TKIP).
TKIP itself was a big step forward in that it used a per-packet key system to protect each data packet sent between devices. Unfortunately, the TKIP WPA rollout had to take into account old WEP devices.
The new TKIP WPA system recycled some aspects of the compromised WEP system and, of course, those same vulnerabilities eventually appeared in the newer standard.
WPA2 Supersedes WPA
WPA2 officially superseded WPA in 2006. WPA, then, had a short run as the pinnacle of Wi-Fi encryption.
WPA2 brought with it another raft of security and encryption upgrades, most notably the introduction of the Advanced Encryption Standard (AES) to consumer Wi-Fi networks. AES is substantially stronger than RC4 (as RC4 has been cracked on multiple occasions) and is the security standard in place for many online services at the current time.
WPA2 also introduced the Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (or CCMP, for a much shorter version!) to replace the now vulnerable TKIP.
TKIP remains part of the WPA2 standard as a fall back as well as to offer functionality for WPA-only devices.
WPA2 KRACK Attack
The somewhat amusingly named KRACK attack is no laughing matter; it is the first vulnerability found in WPA2. The Key Reinstallation Attack (KRACK) is a direct attack on the WPA2 protocol and unfortunately undermines every Wi-Fi connection using WPA2.
Essentially, KRACK undermines a key aspect of the WPA2 four-way handshake, allowing a hacker to intercept and manipulate the creation of new encryption keys within the secure connection process.
Dan Price has detailed the KRACK attack and whether your router is insecure or not.
Even with the potential for a KRACK attack, the likelihood of someone using it to attack your home network is slim.
WPA3: The (Wi-Fi) Alliance Strikes Back
WPA3 picks up the slack and offers much greater security, while actively taking into account the oft-lacking security practices everyone is guilty of at times. For instance, WPA3-Personal provides encryption to users even if hackers crack your password after you connect to a network.
Furthermore, WPA3 requires all connections to use Protected Management Frames (PMF). PMFs essentially augment privacy protections, with additional security mechanisms in place to secure data.
The 128-bit AES remains in place for WPA3 (a testament to its enduring security). However, for WPA3-Enterprise connections, 192-bit AES is required. WPA3-Personal users will have the option of using the extra-strength 192-bit AES, too.
The following video explores WPA3 new features in more detail.
What Is a WPA2 Pre-Shared Key?
WPA2-PSK stands for Pre-Shared Key. WPA2-PSK is also known as Personal mode, and it is intended for home and small office networks.
Your wireless router encrypts network traffic with a key. With WPA-Personal, this key is calculated from the Wi-Fi passphrase you set up on your router. Before a device can connect to the network and understand the encryption, you must enter your passphrase on it.
The primary real-world weaknesses with WPA2-Personal encryption are weak passphrases. Just as many people use weak passwords like “password” and “letmein” for their online accounts, many people will likely use weak passphrases to secure their wireless networks. You must use a strong passphrase or unique password to secure your network or WPA2 won’t protect you much.
What Is WPA3 SAE?
When you use WPA3, you will use a new key exchange protocol called Simultaneous Authentication of Equals (SAE). SAE, also known as the Dragonfly Key Exchange Protocol, is a more secure method of key exchange that addresses the KRACK vulnerability.
Specifically, it is resistant to offline decryption attacks through the provision of “forward secrecy.” Forward secrecy stops an attacker decrypting a previously recorded internet connection, even if they know the WPA3 password.
As well as this, WPA3 SAE uses a peer-to-peer connection to establish the exchange and cut out the possibility of a malicious middle man intercepting the keys.
Here’s an explanation as to what “key exchange” means in the context of encryption, using the pioneering Diffie-Hellman exchange its example.
What Is Wi-Fi Easy Connect?
Wi-Fi Easy Connect is a new connection standard designed to “simplify the provisioning and configuration of Wi-Fi devices.”
Within that, Wi-Fi Easy Connect offers strong public key encryption for each device added to a network, even those “with little or no user interface, such as smart home and IoT products.”
For instance, in your home network, you would designate one device as the central configuration point. The central configuration point should be a rich media device, like a smartphone or tablet.
The rich media device is then used to scan a QR code which in turn runs the Wi-Fi Easy Connect protocol as designed by the Wi-Fi Alliance.
Wi-Fi Easy Connect reduces the complexity of connecting devices to Wi-Fi networks. The connected home market is predicted to grow exponentially, configuring devices easily & securely is even more critical. https://t.co/yPIhhNhwFk pic.twitter.com/jEHiVIO4lG
— Wi-Fi Alliance (@WiFiAlliance) September 14, 2018
Scanning the QR code (or entering a code specific to the IoT device) gives the connecting device the same security and encryption as other devices on the network, even if direct configuration isn’t possible.
Wi-Fi Easy Connect, in conjunction with WPA3, will drastically increase the security of IoT and smart home device networks.
Wi-Fi Security Is Important
Even at the time of writing, WPA2 remains the most secure Wi-Fi encryption method, even taking the KRACK vulnerability into account. While KRACK undoubtedly is an issue, especially for Enterprise networks, home users are unlikely to encounter an attack of this variety (unless you are a high-worth individual, of course).
WEP is very easy to crack. You should not use it for any purpose. Moreover, if you have devices that can only use WEP security, you should consider replacing them to boost the security of your network. Find out how to check your Wi-Fi security type to make sure you’re not using WEP.
It is also important to note that WPA3 isn’t going to appear magically and secure all of your devices overnight. There is always a long period between the introduction of a new Wi-Fi encryption standard and widespread adoption.
The adoption rate depends on how quickly manufacturers patch devices and how quickly router manufacturers adopt WPA3 for new routers.
At the current time, you should focus on protecting your existing network, including WPA2. A great place to start is looking at your router security. See our guide to finding and changing your Wi-Fi password for some basics.