It’s hard to believe that WPA2 has been with us now for nearly 14 years, and that it’s taken so long for a new standard to replace it, not too dissimilar from the transition from USB 2.0 to 3.0. For the most part, WPA2 has done its job. It’s been the predominant wireless encryption standard for billions of devices for over a decade, but the tech world has moved forward, and WPA2 is beginning to grow a bit long in the tooth.
Announced rather quietly back at CES 2018, the WPA3 wireless encryption standard was released to the public, and companies can now begin to design and certify products around it. Qualcomm, being one of the biggest mobile chipset and network component manufacturers in the world, is unsurprisingly announcing its support for the standard. Its modems and chipsets for wireless access points will need to be up to the task of supporting the new standard, most notably with the upcoming widespread adoption of the 802.11ax multi-gigabit wireless standard.
NETGEAR’s Nighthawk X4 features Qualcomm technologies
Of course, there is one question now that’s picking away at your brain, what changes have been made to make the eventual switch over to WPA3 worth it? While the announcement from Qualcomm is expected, we need to go over some of the key points of WPA3 and what we expect to see in upcoming devices.
What is WPA3 and does it matter?
Wireless encryption is something that’s largely taken for granted. Because Wi-Fi is a broadcast-based network standard, anyone around you can pick up the radio transmissions from your device. Encryption isn’t used to hide nefarious activities, but prevent people sitting next to you checking your bank details or hijacking your shopping basket when sitting in a coffee shop.
Over the last two decades, the encryption used has changed as new technologies became available and as new ways of exploiting them came to pass. The transition from WEP to WPA, to WPA2 was rather swift, not only increasing the complexity and difficulty of the encryption, but also changing with demands on how wireless networks were used.
WPA2 has been pretty secure for a long time, and still is to some extent. While vulnerabilities have been found, most of them have been patched away – at least for devices that received updates. However, there were some more serious flaws with the design and quality of life improvements that can be made that better reflect the modern wireless landscape.
Fixing the KRACK in the armor
One of the more recent exploits in the standard was something called KRACK, or key reinstallation attack, which effective changes the key on a Wi-Fi protected device to something that’s easily decrypted, negating the encryption and allowing someone to see exactly what you are doing over the network. Most modern devices have had this vulnerability removed, as it’s something that can be patched through software, but there are still millions of devices open to the exploit, particularly older hardware.
WPA3 will have a much more robust handshake that should protect networks, even with weak passwords. Dictionary attacks will also be heavily stifled as well, as there are strict limits on password guessing. This difficulty is further compounded by individual device encryption, explained a little later.
Open but encrypted
On of the big criticisms of WPA2, related to how it handled open/public access networks. If you do not set a password on the network, there is no encryption, meaning anyone else on the network can see what you are doing over the network. This spurred this ongoing public service announcement of always enabling password protection on wireless networks, even if the password is publicly available. While a public password allows for encryption and prevents snooping, it’s still not ideal.
WPA3 will enable something called Opportunistic Wireless Encryption (OWE), or individualized data encryption, meaning all data will always be encrypted on an individual device basis, even on open networks. No password will be required, but the connection will prevent others on the same network from snooping/eavesdropping on what you are doing. Moving forward, hotels, coffee shops, supermarkets, and airports, won’t require passwords to use the free Wi-Fi – although we’d still recommend using a VPN to prevent other attack vectors and DNS redirects. Even password protected networks will have individual device protections, instead of sharing the same key across all devices.
No display, no problem
The last item of note relates to headless systems, or devices without displays. With the influx of IoT devices from home hubs, Amazon Echoes and all sorts of other network connected gadgets, getting them on the network can be rather difficult if there is no easily available input method or display confirmation to set passwords or figure out which of the 30 odd other networks that may be available (particularly hazardous for apartment blocks).
So far, most of these devices need some kind of direct link through a network or USB connection, or pairing up with a smartphone over bluetooth to then configure the device to get on to a network. There have also been a number of one-touch setup systems like WPS, albeit with their own vulnerabilities. While no specifics have been outlined yet, WPA3 will likely use something like WPS, but a little more hardened to prevent connection spoofing.
To wrap this all up is also a change in the way WPA3 certification can be marketed. For any device to advertise support for WPA3, it must pass a very strict set of guidelines and verification process, to ensure that it complies with all required features and security measures.
Existing hardware and software may be compatible with WPA3 already, but will need to go through the same certification process as new devices, making it unlikely that such devices will be patched to make use of it, so this is largely going to be a feature of new products. Qualcomm’s announcement of its support will be the start of many devices entering the market over the coming years to support WPA3.
When will WPA3 become widespread?
Qualcomm will be incorporating WPA3 support into its flagship SoC for smartphones, the Snapdragon 845 that was announced a while ago, but won’t see a public release (i.e. in a device) until sometime in June this year. However, WPA3 will be a standard feature in all of Qualcomm’s Access Point platforms by July 2018. We’ve already started to see announcements for 802.11ax access points from CES, and we’re going to see more at Computex next month, but the products won’t likely ship until Q4.
The transition is going to be slow, as WPA3 is a point-to-point standard, so both the access point and the device connecting to it, like a smartphone or IoT device, will need to support WPA3 and go through the same certification processes. Fortunately, those same devices can still fallback on WPA2 encryption and coexist with WPA3 devices if so desired (although this can be disabled).
While encryption standards are not the most exciting topic when raw performance numbers are what people are interested in, WPA3 is still important and will result in better security and quality of life offered by the devices you purchase in the future. It’s also something worth keeping an eye on when you go hunting for a new wireless access point.