The Wi-Fi Alliance is almost ready to deliver WPA3 to consumers and service providers. The new standard of Wi-Fi security will build upon the aging WPA2 standard, ushering in a new period of Wi-Fi security.
What does WPA3 improve? Will your router use it? And when will WPA3 become available? Let's take a look.
What Is WPA?
WPA stands for Wi-Fi Protected Access. Your home network likely uses WPA2, the second iteration and more preferred of the WPA standard. Why? Because it's the strongest protection available -- or at least, it was.
Unfortunately, WPA2 was compromised using a key installation attack (or KRACK, for short). However, even with KRACK in play, WPA2 is still vastly more secure than its essentially defunct predecessor, WPA, and before that, WEP.
WPA2 governs what happens when you connect to a closed Wi-Fi network. Essentially, WPA2 uses strong encryption to keep your password and all further communication secure from anyone that wants to snoop. In fact, as of March 2006, devices displaying a Wi-Fi trademark must be WPA2 compliant.
WPA2 also introduced secure four-way handshake between the access point and potential client. Without delving too deep, this four-way handshake allows each device to confirm their password and encryption key without ever actually disclosing the key. The introduction of strong encryption to the WPA standard did cause a slight decrease in network performance, but one that is entirely negligible in comparison to the security boost.
How Is WPA3 Different?
WPA3 is the newest standard. It introduces four key components not found in WPA2. Like WPA2, unless manufacturers feature the following four components, their devices cannot be marketed as "Wi-Fi CERTIFIED™ WPA3™".
1. Brute Force Protection
Let's think about handshakes again. The handshake ensures the correct passwords are in use between each client as well as defining the type of encryption used to secure the connection. The KRACK exploit exposed underlying vulnerabilities in the WPA2 handshake procedure.
WPA3 defines a new handshake that "will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations." This is particularly useful for those with weak passwords. The WPA3 standard will protect against brute-force dictionary attacks (attacks that attempt to guess passwords over and over again).
2. Public Network Privacy
By now, most internet users understand that public Wi-Fi connections are a potential liability. They're always less secure than your home connection due to the inherent security limitations of existing wireless security -- and that the vast majority of bookshop owners aren't also network security buffs.
New WPA3 standards promise to "strengthen user privacy in open networks through individualized data encryption." In theory, this means every time you connect to a public wireless access point your traffic will be encrypted whether you enter a password or not. This is a major step forward for public Wi-Fi security.
3. Securing the Internet of Things
The new WPA3 standard will introduce some well needed additional security for internet of Things devices. It is a welcome move as more IoT devices come online without adequate security features.
A major IoT security issue is the lack of changeable passwords. Typing a new password on a toaster or blender is surprisingly difficult because your hands get burnt. I jest. It is because they don't have a graphical user interface to interact with, making the change to a more secure password all-but impossible.
Naturally, having thousands of devices online all using a single password is causing an issue or two. For instance, the powerful Mirai botnet harnessed poorly protected IoT devices in its massive DDoS attacks. The number one credential used to compromise devices? A username and password combination of "Admin; Admin", of course.
There are few details as to how WPA3 will directly enhance IoT device security, but security researchers from the University of Southampton, UK, successfully updated IoT device security by configuring them with a smartphone.
4. Stronger Encryption
WPA3 introduces 192-bit encryption and alignment "with the Commercial National Security Algorithm Suite from the Committee on National Security Systems." While this might not be a "wow" feature, it certainly provides a significant boost to consumer security.
When Can I Use WPA3?
All of these security updates sound good, right? Luckily, the Wi-Fi Alliance think devices with WPA3 support are nearly here. They should begin to hit the market towards the end of 2018. However, as previously mentioned, the new devices must support the new features or else they will not receive the new WPA3 trademark.
Backwards Compatibility
If you were thinking of buying a new router, it is probably best to do so. WPA3 will likely appear in the latter stages of 2018, but there is a chance that the vast majority of devices simply won't receive updates in time. Smartphones, laptops, tablets and more all need security patches or updates to make sure devices can use WPA3. You might not use a WPA3 router with your devices for quite some time after the standard actually goes live.
When it comes, it'll be worth upgrading or changing your router. But, up to this time, the Wi-Fi Alliance hasn't announced anything about legacy device support. Device manufacturers could create new firmware that adds WPA3 support to older devices. This would require manufacturers to apply for and receive updated certification for old devices, covering a huge time frame, too.
One criticism leveled at the Wi-Fi Alliance is the behind-doors development approach. The implementation of WPA3 is going to secure our Wi-Fi connections for at least the next decade. A transparent, consistently reviewed project might have become a more robust option than the current new specification. That said, WPA2 ageing, and a new standard was well overdue.
Will you buy a new WPA3 compatible router? Or should manufacturers update old hardware for the new standard? Let us know your thoughts below!