Wi-Fi has become so integrated into our personal and professional lives that we can’t imagine life without it. Naturally, its broad accessibility also makes it an attractive target for cybercriminals.
After more than a decade of using the same Wi-Fi security standards (WPA2), more than 500 000 routers around the world were breached this year by hackers using malware dubbed “VPNFilter”, which originated from Russia. The malware is capable of stealing credentials, damaging devices and redirecting traffic while downgrading security protection.
Where there is connection, there is vulnerability. And core to Wi-Fi’s vulnerability is that connected devices share implicit trust. This means that connected devices automatically transmit their data to each other immediately upon recognition without first running any malware detection tests.
Inadequate Wi-Fi protection poses a dangerous threat, especially with the rise of Internet of things (IoT) devices and ever-connected, ever-consuming users (and devices) demanding Wi-Fi everywhere. The amount of information exchanged is staggering and will continue as more businesses are moving to wireless environments and governments leverage the promise of Wi-Fi as a key enabler for smarter cities and connected citizens.
The Wi-Fi Alliance, a group of companies certifying devices capable of data transmission over Wi-Fi, recently updated the commonly implemented security protocol for Wi-Fi-enabled devices with the introduction of WPA3. This new suite of protocols and technologies provides the latest in authentication and encryption for Wi-Fi network protection.
WPA3 is now available for release in products and includes access to IoT solutions that traverse Wi-Fi networks. There are two deployment models, including personal and enterprise, which come with a related security set called Easy Connect.
Enterprise and personal
WPA3-Enterprise offers extra protection for networks transmitting sensitive data, such as those used by governments and financial institutions, by ensuring a consistent combination of cryptographic tools are used to secure the network.
WPA3-Personal has password-based authentication that’s more resilient than WPA2 — even when users choose passwords that don’t meet common complexity recommendations.
While WPA3-Personal and WPA3-Enterprise will see primary deployment for devices such as laptops, tablets and smartphones, IoT devices get their own new security with Easy Connect. The new Wi-Fi Easy Connect protocol is explicitly designed to support WPA3 networks with the new breed of IoT devices in mind — devices that have limited or no user interface display at all.
WPA3 also promises to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. Although the standard does not appear to protect against a rogue access point, it should prevent passive nearby attackers from being able to monitor communication in the air. Rogue access points pop up on your device’s network menu with labels that look like what you’d expect to see when trying to gain access to a system in a public or semi-public space, but are in fact simple, cheap devices that are improperly installed on the network.
WPA3 supports password-free encryption between stations and access points but does not seem to provide a way for devices to discern between legitimate and rogue access points and is a risk unless the right kind of protocols are properly established to identify rogue access points.
The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your Wi-Fi stream, brings it back to a private computer, and by utilising software, the attacker guesses passwords over and over again until they find a match — a brute-force attack. With WPA3, attackers should only be able to make a single guess against that offline data before it becomes useless; instead, they’ll have to interact with the live Wi-Fi device every time they want to make a guess.
While the Wi-Fi Alliance currently does not mandate a WPA3 certification for all new devices, its adoption is expected to accelerate by late 2019, and WPA3 could soon become a prerequisite for Wi-Fi certification. While it will take a while for WPA3 to be roll out fully, the important thing is that the transition process is beginning. This means safer, more secure Wi-Fi networks in the future.
- Emmanuelle Salon is executive head of the Wi-Fi business unit at Internet Solutions