The Wi-Fi Alliance has announced WPA3, a new standard of Wi-Fi security features for users and service providers. This is welcome news, given that a Wi-Fi exploit was uncovered late last year which affected all modern Wi-Fi networks using WPA or WPA2 security encryption, letting attackers eavesdrop on traffic between computers and wireless access points. The new WPA3 features will include “robust protection” when passwords are weak, and will also simplify security configurations for devices that have limited or no display interface.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman from consulting firm SAR Insight & Consulting in a statement. The Wi-Fi Alliance is made up of companies including Apple, Intel, and Microsoft. For those who work in coffee shops and often use public Wi-Fi, WPA3 will also have individualized data encryption that will strengthen privacy in open networks. While there aren’t further details about that tool, security researcher Mathy Vanhoef suggests that might refer to Opportunistic Wireless Encryption, or encryption without authentication.
WPA2 uses a four-way handshake that ensures the same password is being used by both clients and access points when they join a Wi-Fi network. Vanhoef told ZDNet that the WPA3 standard will use a new handshake, which won’t be vulnerable to dictionary attacks. Further, WPA3 will also feature a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite that will protect government, defense, and industrial networks that have higher security requirements. The new security features will be available later in 2018.
Hopefully, that’s the last major wireless security bug we see for a long while (WPA2 is now about 14 years old). To ensure enhanced security, the Wi-Fi Alliance is building four major features into WPA3:
- Robust protections even when users choose passwords that fall short of typical complexity recommendations.
- A simplified process of configuring security for devices that have limited or no display interface.
- Strengthened user privacy in open networks through individualized data encryption.
- A 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as those in use in government, defense, and industrial sectors.
If you’re buying a new router or other network equipment later this year, you’ll want to look out for WPA3 certification. Android Police notes that your existing hardware may not receive WPA3 firmware updates because of the certification requirement, but that will largely depend on whether manufacturers care to take the effort to secure the devices they’ve already sold.
