Table of Content
Traditionally, Wi-Fi router vendors recommended WPA2 security over older standards, because for over a decade it has been the hardened option that best protects a wireless network. In 2017, the announcement came that WPA2 was vulnerable to an attack called Key Reinstallation Attack (KRACK) and was no longer safe for wireless network connections. It was only a matter of time before WPA2 would fall to more powerful computer hacking systems, but after the announcement, it was clear that a new security standard was needed. In early 2018, Wi-Fi Alliance announced the new WPA3 security standard.
How Bad is the WPA2 Vulnerability?
If you currently use WPA2, you should always choose the upgrade if you’re able to update to the latest WPA3 standard. Older devices might not be compatible, so check with the manufacturer before you switch to WPA3. Incompatible devices will not be able to connect.
First, the attack only affects Wi-Fi networks where the attacker can get close to the wireless router. They must be able to get a signal from the router, so this could be someone close to your home or at a free Wi-Fi hotspot at a commercial site. The biggest threat is to public Wi-Fi hotspots because these are the easiest to access without causing suspicion.
The vulnerability happens at the third step of the four-way handshake between a device and the Wi-Fi router. An attacker can reuse what should be a random number that is intended only for single use. This random number is used by the authentication protocol only once to ensure that old connections cannot get reused. By reusing this number, an attacker can gain access to a wireless connection and view encrypted data.
Using additional encryption methods such as HTTPS (SSL or TPS) adds an extra layer of security, and researchers believe that this data cannot get decrypted. However, they are still unsure if SSL provides 100% defense against a KRACKed wireless network and advise users to use VPN when working on public Wi-Fi networks. VPN encrypts all data regardless of whether the protocol is HTTP or HTTPS, which protects from the WPA2 vulnerability.
Any unencrypted data is vulnerable to an attacker. Most of the web is moving towards total encryption between the web server and browser, but some smaller sites still use traditional HTTP. When you browse any of these sites or send any data to them, an attacker could be eavesdropping and steal it.
What Does WPA3 Offer?
WPA3 changes the way users connect to Wi-Fi routers using Simultaneous Authentication of Equals (SAE). It replaces the old Pre-Shared Key (PSK) method, which is used by WPA2 in the connection handshake. SAE blocks both KRACK methods and any dictionary attacks. Hackers use dictionary attacks to run through thousands of words and phrases to guess a router password. Both KRACK and dictionary attacks are rendered useless with SAE.
With SAE, there is no four-way handshake. Instead, any device can be the requestor rather than the traditional user requesting access and the router authorizing it. When someone makes a request, authentication information gets sent and access either granted or denied.
Attackers would often grab data from an open Wi-Fi stream and bring that data home. By using brute-force and dictionary attacks, the hacker can run tools that crack a password and later use the discovered passcode to crack WPA2 on a target router. With SAE, the password changes with each new connection.
WPA2 uses 128-bit security, which is weak compared to the latest encryption standards. WPA2, introduced in 2004, has many outdated features. The new WPA3 standard uses 192-bit encryption. More bits mean additional time and computing power for an attacker to crack it. Although 192-bit security is excessive for a small home network, it protects you from drive-by attackers that would otherwise spend their time next to your home cracking your network.
The Internet of Things (IoT) is changing the number of devices connected to a router. Ten years ago, you might have a few computers and possibly a smartphone connected to your router. Now, you could have a dozen or more household IoT devices accessing the Internet from your router. WPA3 will support a new way to connect your devices to your network called Easy Connect. Easy Connect uses QR codes instead of requiring your devices to store a password to connect to the network. Scan a device’s QR code with your already-connected smartphone, and the new device gets access.
The final advantage is protection on open networks. When you connect to a public Wi-Fi hotspot, an attacker can sit passively and watch data as it passes through the network. With hundreds of connections in places such as airports and hotels, an attacker can collect massive amounts of data by just sitting comfortably nearby. Enhanced Open is another protocol that protects data from eavesdroppers on open networks.
Enhanced Open uses Opportunistic Wireless Encryption (OWE) that stops attackers from collecting data using eavesdropping tools. It doesn’t require any additional passwords to authenticate the user and should be seamless just like HTTPS is just an extra letter in a URL and doesn’t need any extra configurations from the user.
When Will WPA3 Be Available?
It won’t be long before WPA3 is available on newly purchased routers. You might need an upgrade from your manufacturer on various devices to support the new security standards, so check with vendors before switching over. Just like current routers, you still have the option of using old Wi-Fi security standards, although it’s inadvisable.
You will need to buy a new router to accept WPA3, but this might not be the most affordable option. With a new router, you would still need to configure it and then change the settings on all of your devices, which can be tedious. If you decide to keep your current router, you should update your firmware. Router manufacturers provide a WPA2 firmware update to patch the vulnerability in the older security standard.
