Wi-Fi Protected Access II, commonly known as WPA2, has been the standard for securing wireless networks for over a decade, but cracks are starting to show. The industry is now getting ready for its successor and we might see it in new devices this year.
WPA3 will simplify Wi-Fi configuration while providing improved security and data encryption, announced the Wi-Fi Alliance, a standards organization whose members include Apple, Microsoft, Intel, Samsung, Cisco and other major technology companies.
One notable feature of the new standard is that it will protect Wi-Fi connections even when users choose a weak password that "falls short of typical complexity recommendations." This means it will likely include defenses against brute-force dictionary-based attacks, one of the most common methods of breaking into wireless networks.
There aren't any technical details available for WPA3 because the technical specification hasn't been published yet. However, Mathy Vanhoef, an academic researcher from the University of Leuven, believes that the brute-force protection in WPA3 will be achieved by switching to a new key exchange protocol called Simultaneous Authentication of Equals (SAE), or Dragonfly.
A few months ago, Vanhoef found a serious weakness in the four-way handshake of the WPA2 protocol, which is used by clients who know a Wi-Fi network’s pre-shared key (password) to negotiate an encryption key with the access point. There are patches to mitigate Vanhoef's attack, dubbed KRACK, but it wouldn’t be surprising if the Wi-Fi Alliance opted for a more robust key exchange mechanism in WPA2's successor.
"Linux's open source Wi-Fi client and access point already support the improved handshake," the researcher said on Twitter. "It just isn't used in practice. But hopefully that will change now."
WPA3 is also expected to encrypt connections on open Wi-Fi networks which, until now, offered no protection and privacy to users. According to Vanhoef, this might be achieved through a mechanism called Opportunistic Wireless Encryption.
Opportunistic encryption, which has also been proposed for other protocols, such as HTTP2, does not provide the same level of security and assurance as authenticated encryption, but is generally viewed as a better option than having no encryption at all.
Another announced WPA3 feature will allow users to more easily configure Wi-Fi connections for devices that don't have an LCD screen or other human input interface, such as sensors, IoT devices and even some printers. This will supposedly be done through a nearby device like a mobile phone, but there are no details yet about how exactly it will work.
Finally, WPA3 will include an 192-bit security option that's aligned with the U.S. Commercial National Security Algorithm (CNSA) Suite required for government and defense use.
The Wi-Fi Alliance will continue to improve WPA2, which is not going away anytime soon. But the organization will make WPA3 a requirement of its certification program later this year, so all new devices that want to have the "Wi-Fi Certified" mark will have to include support for it.
Having better Wi-Fi security is great, but a switch to WPA3 doesn't mean that other network and router security measures should be neglected. Many devices will be stuck with WPA2, which was considered very secure for a long time, until it wasn't.