The Wi-Fi Alliance just announced WPA3, a Wi-Fi security standard that will replace WPA2. In a few years, when the laundry folding robots and smart fridges are forgotten, WPA3 will be everywhere making it harder for people to hack your Wi-Fi.
As of today, the Wi-Fi Alliance has started to certify new products that support WPA3, and a bunch of manufacturers are already on board. Qualcomm has started making chips for phones and tablets, Cisco announced upcoming support that might even include updating existing devices to support it, and virtually every other company has announced their support.
What Are WPA2 and WPA3?
“WPA” stands for Wi-Fi Protected Access. If you have a password on your home Wi-Fi, it probably protects your network using WPA2—that’s version two of the Wi-Fi Protected Access standard. There are older standards like WPA (also known as WPA1) and WEP, but they aren’t secure anymore.
WPA2 is a security standard that governs what happens when you connect to a closed Wi-Fi network using a password. WPA2 defines the protocol a router and Wi-Fi client devices use to perform the “handshake” that allows them to securely connect and how they communicate. Unlike the original WPA standard, WPA2 requires implementation of strong AES encryption that is much more difficult to crack. This encryption ensures that a Wi-Fi access point (like a router) and a Wi-Fi client (like a laptop or phone) can communicate wirelessly without their traffic being snooped on.
Technically, WPA2 and WPA3 are hardware certifications that device manufacturers must apply for. A device manufacturer must fully implement the required security features before being able to market their device as “Wi-Fi CERTIFIED™ WPA2™” or “Wi-Fi CERTIFIED™ WPA3™”.
The WPA2 standard has served us well, but it’s getting a little long long in the tooth. It debuted in 2004, fourteen years ago. WPA3 will improve on the WPA2 protocol with more security features.
How Does WPA3 Differ From WPA2?
The WPA3 standard adds four features not found in WPA2. Manufacturers must fully implement these four features to market their devices as “Wi-Fi CERTIFIED™ WPA3™”. We already know a broad outline of the features, although the Wi-Fi Alliance—the industry group that defines these standards—hasn’t yet explained them in deep technical detail.
Privacy on Public Wi-Fi Networks
Currently, open Wi-Fi networks—the kind you find in airports, hotels, coffee shops, and other public locations—are a security mess. Because they’re open and allow anyone to connect, traffic sent over them isn’t encrypted at all. It doesn’t matter whether you have to sign in on web page after you join the network—everything sent over the connection is sent in plain text that people can intercept. The rise of encrypted HTTPS connections on the web have improved things, but people could still see which websites you were connecting to and view the content of HTTP pages.
WPA3 fixes things by using “individualized data encryption”. When you connect to an open Wi-Fi network, the traffic between your device and the Wi-Fi access point will be encrypted, even though you didn’t enter a passphrase at the time of connection. This will make public, open Wi-Fi networks much more private. It will be impossible for people to snoop without actually cracking the encryption. This issue with public Wi-Fi hotspots should have been solved a long time ago, but at least it’s being fixed now.
Protection Against Brute-Force Attacks
When a device connects to a Wi-Fi access point, the devices perform a “handshake” that ensures you’ve used the correct passphrase to connect and negotiates the encryption that will be used to secure the connection. This handshake had proved vulnerable to the KRACK attack in 2017, although existing WPA2 devices could be fixed with software updates.
WPA3 defines a new handshake that “will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations”. In other words, even if you’re using a weak password, the WPA3 standard will protect against brute-force attacks where a client attempts to guess at passwords over and over until they find the correct one. Mathy Vanhoef, the security researcher who discovered KRACK, appears very enthusiastic about the security improvements in WPA3.
An Easier Connection Process for Devices Without Displays
The world has changed a lot in fourteen years. Today, it’s common to see Wi-Fi-enabled devices without displays. Everything from the Amazon Echo and Google Home to smart outlets and light bulbs can connect to a Wi-Fi network. But it’s often obnoxious to connect these devices to a Wi-Fi network, as they don’t have screens or keyboards you can use to type in passwords. Connecting these devices frequently involves using a smartphone app to type your Wi-Fi passphrase (or connect to a second network temporarily), and everything is harder than it should be.
WPA3 includes a feature that promises to “simplify the process of configuring security for devices that have limited or no display interface”. It’s unclear exactly how this will work, but the feature could be a lot like today’s Wi-Fi Protected Setup feature, which involves pushing a button on the router to connect a device. Wi-Fi Protected Setup has some security problems of its own, and doesn’t simplify connecting devices without displays, so it will be interesting to see exactly how this feature works and how secure it is.
Higher Security for Government, Defense, and Industrial Applications
The final feature isn’t something that home users will care about, but the Wi-Fi Alliance also announced WPA3 will include a “192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems”. It’s intended for government, defense, and industrial applications.
The Committee on National Security Systems (CNSS) is part of the US National Security Agency, so this change adds a feature requested by the US government to allow stronger encryption on critical Wi-Fi networks.
When Will I Get It?
According to the Wi-Fi Alliance, devices supporting WPA3 will be released later in 2018. Qualcomm is already making chips for phones and tablets that supports WPA3, but it’ll take a while for them to be integrated into new devices. Devices must be certified for WPA3 to roll out these features—in other words, they must apply for and be granted the “Wi-Fi CERTIFIED™ WPA3™” mark—so you’ll likely start seeing this logo on new routers and other wireless devices beginning in late 2018.
The Wi-FI Alliance hasn’t announced anything about existing devices receiving WPA3 support yet, but we don’t expect that many devices will receive software or firmware updates to support WPA3. Device manufacturers could theoretically create software updates that add these features to existing routers and other Wi-Fi devices, but they’d have to go through the trouble of applying for and receiving WPA3 certification for their existing hardware before rolling out the update. Most manufacturers will likely spend their resources on developing new hardware devices instead.
Even when you get a WPA3-enabled router, you’ll need WPA3-compatible client devices—your laptop, phone, and anything else that connects to Wi-Fi—to fully take advantage of these new features. The good news is that the same router can accept both WPA2 and WPA3 connections at the same time. Even when WPA3 is widespread, expect a long transition period where some devices are connecting to your router with WPA2 and others are connecting with WPA3.
Once all your devices support WPA3, you could disable WPA2 connectivity on your router to improve security, the same way you might disable WPA and WEP connectivity and only allow WPA2 connections on your router today.
While it will take a while for WPA3 to fully roll out, the important thing is that the transition process is beginning in 2018. This means safer, more secure Wi-Fi networks in the future.
Image Credit: Casezy idea/Shutterstock.com.