On October 16 of last year, the Wi-Fi Protected Access 2 protocol, known more commonly as the WPA2, fell out of favor after a long tenure as the standard wireless network security protocol. A serious vulnerability was revealed, effectively putting an end to the WPA2 era.
Now, with the new year freshly begun, the Wi-Fi Alliance® has announced a substitute for WPA2. It bears the name of WPA3. The announcement was made at the CES in Las Vegas. What changes will this new protocol bring about? And how will this problem (and its solution) affect businesses and end users?
WPA2 is no longer secure
As Mathy Vanhoef of the Key Reinstallation Attacks (KRACK) group said at the time, a series of errors in the core of the WPA2 protocol can expose Wi-Fi connections to attacks. This means that an attacker could access the network, as well as all traffic between every access point, through a newly discovered exploit.
The group designed a conceptual test demonstrating that breaking the security of WPA2 to access the network is not expensive or complex. This endangers virtually any modern Wi-Fi network, including the vast majority of corporate networks. Since the security breach was made public, several entities, including the Wi-Fi Alliance®, have worked to patch the problem as soon as possible.
What changes will the WPA3 bring?
According to its developers, four new features based on the principles of WPA2 (configuration, authentication, and encryption) will be added to WPA3. One of them will offer more robust protection even when users choose their own passwords and fail to comply with complexity recommendations.
Another feature is that it will simplify the security configuration process for devices that have a limited or no display interface.
A third will help strengthen user privacy in open networks through individualized data encryption. This could be done, according to some experts in the sector, through Opportunistic Wireless Encryption (OWE), a type of encryption without authentication.
Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm Suite (or CNSA) of the National Security Systems Committee, will further protect Wi-Fi networks with higher security requirements, such as those associated with Government, Defense, or industry.
Why is it more secure than WPA2?
WPA2 uses what is known as a four-way handshake, which guarantees that both users and access points use the same password when they join a Wi-Fi network. This same process is used by the exploit to access network traffic. However, WPA3 will use a new type of handshake, which will not be vulnerable to bruteforcing.
That, added to the new 192-bit security suite, in addition to using individualized encryption to secure the connection between each device on the network and the router, makes WPA3 the long-awaited solution. Even before the public appearance of vulnerability.
How does it affect companies?
The fact that WPA and WPA2 are present in virtually all Wi-Fi connections means that the vast majority of companies are affected by a serious vulnerability. Why? Because all existing Wi-Fi connections are susceptible to being accessed and spied on. This can be a critical problem for the company.
This also implies that 41% of Android devices, as reported last October, are vulnerable to a particularly “devastating” variant of the attack that exploits the vulnerability of WPA2. This makes them possible vectors to inject malicious code and perform all types of attacks, including ransomware, so the combination of Android devices plus WPA2 can be potentially harmful to the company’s network.
For the moment, the announcement of WPA3 is already out in the open, and we will soon see a massive adoption of this new protocol. Meanwhile, you can stay vigilant by controlling network traffic and avoiding wireless connections where possible — certainly a tall order in this hyper-connected digital age, but not impossible.