New WiFi standard may not be all it’s cracked up to be

While the new WPA3 security protocol for WiFi-enabled devices has been widely welcomed – and for good reason – there are concerns that it may not go far enough to protect users.

Following the discovery of a serious flaw in its predecessor, WPA2, last year, WPA3 has arrived with new features designed to simplify WiFi security, tighten up authentication, and improve cryptographic strength.

Edgar Figueroa, president and CEO of the Wi-Fi Alliance described the state-of-the-art security standard as delivering “the industry’s strongest protections” at its launch at the end of June.

However, some are questioning whether the new protocol is all that it’s cracked up to be.

Mathy Vanhoef, a security expert at Belgium’s KU Leuven university, points out that initial announcements promised four major features: an improved handshake called Dragonfly, an easy method to securely add new devices to a network, some basic protection when using open hotspots, and increased key sizes.

In the event, though, only the handshake is specified.

“The Wi-Fi Alliance missed an opportunity to truly improve the security of WiFi networks,” Vanhoef said in his recent analysis of WPA3.

“While this handshake is an improvement over the old four-way handshake of WPA2, they could have done a lot more.

“As a result, the WPA3 certification program is a missed opportunity that could have truly improved WiFi security.”

However, there is hope. Speaking to The Daily Swig earlier this week, Vanhoef said that in practice, many vendors will move to include the other features anyway.

“I know of at least one vendor that will implement Wi-Fi Enhanced Open – better security for open hotspots,” he said. ”I hope other companies will also implement these enhancements, but only time will tell.”

But even when vendors do support the new security features, there’s still the issue of updating all the devices that are out there already.

“Enterprise networks at large corporations may have millions of wireless devices, thousands of which are easy to overlook, Chris Schmidt, senior manager of research at Synopsys’ Software Integrity Group, told The Daily Swig.

“Patching and updating the firmware on all those devices will take time and there’s a high degree of likelihood that some will be missed.

“The second part of the problem is actually updating those devices. Some devices allow over-the-air updates, some devices allow you to hardwire a computer to the device to update its firmware, and some devices have no way to update the firmware at all.”

As a member of the Wi-Fi Alliance, US networking giant Cisco Systems says it’s committed to integrating WPA3 features into its Aironet Access Points and Wireless Controllers.

“We believe securing WiFi is not an event, but an ongoing process and we are looking forward to working with our customers to integrate these new features into our technology standards and ensuring that they are to reap the benefits of a connected world,” David Goff, head of Cisco’s enterprise networks, told The Daily Swig.

However, as Schmidt points out, this ongoing process could take a while.

“There are just too many wireless clients today that will require updates to support the new protocol, and a significant percentage of those devices may never be able to support the new standard,” he said.

“While the move to WPA3 is good and illustrates a secure design, it will be a while before the effects of the new, more secure wireless authentication protocol are truly felt.”