The Wi-Fi Alliance today unveiled enhancements to Wi-Fi Protected Access 2 and previewed new technologies to further strengthen WiFi security, called WPA3.
The alliance's Wi-Fi Certified program is designed to ensure interoperability and security of WiFi equipment. The enhancements to WPA2, which debuted more than 10 years ago, will ensure that certified WiFi products continue to meet today's security challenges, Kevin Robinson, VP of marketing for the WiFi Alliance, said in an interview.
For example, to ensure WiFi networks are resilient, certification will require Protected Management Frames, a feature already supported by most current-generation WiFi access points. The alliance also is adding additional checks to reduce the risk of vulnerabilities from network misconfigurations, and also to provide standardized cryptographic suites starting at 128-bit security.
WPA3 will build on WPA2 by adding capabilities to address additional security scenarios, Robinson said. For instance, users are always told to choose complex passwords, but if they don't follow that advice, a new feature mitigates the risk by enabling the network to track every password guess and identify brute-force attacks.
Another new capability strengthens the privacy in open networks, say in a coffee shop with no password protection, by applying individualized data encryption. The feature involves use of opportunistic wireless encryption, which doesn't involve authentication, so someone sitting in the coffee shop can't just pull out a wireless sniffer and watch traffic on the WLAN, Robinson said. The security, which is transparent to the end user, increases privacy, but can't protect against active attacks like rogue APs, he added.
WPA3 also will simplify security configurations for devices with either limited or no display interface such door sensors and thermostats. That feature will enable users to easily provision those IoT devices using their smartphone, Robinson said. A final new security capability in WPA3 will provide 192-bit security for government, defense and industrial networks with higher security requirements.
Robinson said the alliance will provide more details on WPA3 later this year. "WPA2 will continue to be deployed in Wi-Fi Certified devices for the foreseeable future," he said.
WiFi expert Jason Hintersteiner, CWNE #171, said he's trying to learn more about the new security protections, but said the encryption features will likely require new chipsets.
"So I doubt that existing APs or client devices will be 'upgradable' to WPA3 with a firmware upgrade. The same was true for WPA vs. WPA2, as they utilized a completely different encryption algorithm (TKIP vs. AES)," Hintersteiner, founder and president of Imperial Network Solutions, said in an email. "Expect WPA2 and WPA3 to be co-existent for quite a while yet."
Last fall, the WiFi industry got a jolt when security researchers discovered vulnerabilities in WPA2, known as KRACK. Robinson said the Wi-Fi Alliance worked ahead of the disclosure to address the problem and made tools available to vendors to test their products. "If a user buys certified equipment, they don't have to worry about KRACK," he said.