Products featuring the latest version of the Wi-Fi security suite will soon be hitting the market. Devices that support the new Wi-Fi Protected Access 3 (WPA3) protocols will feature significant security upgrades, including stronger password protection, more robust authentication, and increased cryptographic strength for both public and private Wi-Fi networks.
The Wi-Fi Alliance has already started to certify new products that support WPA3, although the standards group doesn’t expect broad implementation until next year. However, major tech companies such as Ruckus, Cisco, HP, Intel, Broadcom and Qualcomm have signaled their intention to support the new standard.
The upgrade is long overdue.
WPA3 is the first security protocol update in 14 years. In that period, Wi-Fi usage has grown by leaps and bounds. Wi-Fi now moves more than half of all Internet traffic, and it has helped make mobile the primary digital platform for business users in the U.S.
This shift has also introduced greater risk. As a broadcast technology, wireless is much more susceptible to unauthorized access compared to a wired connection. In a recent Spiceworks poll, 92 percent of IT security professionals say they are concerned about security vulnerabilities associated with the use of Wi-Fi networks.
The update has been in the works for some time, but the process gained urgency following last year’s discovery of a flaw in the WPA2 protocol that can potentially enable an attacker to see, decrypt, or even manipulate data on the network. Known as KRACK (Key Reinstallation Attack), the flaw allows attackers to interfere with the initial “handshake” between a device and Wi-Fi router, creating an opening to conduct man-in-the-middle attacks that could expose a wealth of sensitive information.
WPA3 features a new handshake authentication process that can’t be compromised by KRACK. The new process, known as the Simultaneous Authentication of Equals (SAE), uses a much more secure key establishment protocol, which provides stronger protections against brute-force password cracking attempts by third parties.
WPA3 also has much stronger encryption. While WPA2 requires a 64-bit or 128-bit encryption key, WPA3 uses 192-bit encryption. Additionally, WPA3 is aligned with the Commercial National Security Algorithm (CNSA) Suite, which delivers the robust levels of security typically used in industrial, military and government applications.
The revised standards also seek to improve security when connecting through public Wi-Fi hotspots in airports, restaurants and hotels. WPA3 supports Opportunistic Wireless Encryption (OWE), an existing standard that encrypts every connection between a device and an access point with a unique key, without the need for additional credentials. Even if hackers manage to intercept data packets, they won’t be able to decrypt the master key.
The WPA3 standard is not yet mandatory, so wireless devices will maintain interoperability with WPA2 through a transitional period of several years. During the transition period, you can still boost security by applying patches that fix the KRACK vulnerability, and by rolling out regular software updates and patches for all wireless devices — including employee-owned devices. However, all organizations should start planning now to eventually upgrade to devices that support WPA3.
