A new post after a long time.. Right! But do you know that this wait is much smaller than the wait of this new security release? WPA2 was introduced in 2004 and WPA3 is released two days ago. And this article will guide you about everything you should know about this new update. Don't worry if you don't know anything about the past, this will still be interesting.. Let's start.
In-Short: The Wi-Fi Alliance just announced WPA3 - a Wi-Fi security standard that will replace WPA2. Qualcomm has already started new making chips for phones and tablets which will support this WPA3, Cisco announced upcoming support that might even include updating existing devices to support it. And till now, every other company has announced their support to WPA3.
What is WPA2 and WPA3?
“WPA” stands for Wi-Fi Protected Access. It is a methodology used to connect to and communicate with the Wireless Access Point. Now that it is implemented by everyone, the most important service that it should provide is "security". And that is the main reason why WPA3 is released.
If you have a password on your home Wi-Fi, it probably protects your
network using WPA2—that’s version two of the Wi-Fi Protected Access
standard. Does it mean that you are vulnerable using the old version? You might be if you haven't updated to latest software implementing a patch for the vulnerability known as KRACK which lies in WPA2. But this attack is not going to work in WPA3.
Technically, WPA2 and WPA3 are hardware certifications that device
manufacturers must apply for. A device manufacturer must fully implement
the required security features before being able to market their device
as “Wi-Fi CERTIFIED™ WPA2™” or “Wi-Fi CERTIFIED™ WPA3™”.
What is new in WPA3?
WPA3 standard adds 4 new features to WPA2. Manufacturers must fully implement these four features to market their devices as “Wi-Fi CERTIFIED™ WPA3™”. The Wi-Fi Alliance group hasn't still revealed all the information about this standard, still we know what will it be.. (How? Reading past articles and and their official blog - then combining things together).
Privacy and Security on Public networks: Currently, open Wi-Fi networks, the kind you find in airports, hotels,
coffee shops, and other public locations, are a security mess. Because
they’re open and allow anyone to connect, traffic sent over them isn’t
encrypted at all. It doesn’t matter whether you have to sign in on web
page after you join the network - everything sent over the connection is
sent in plain text that people can intercept.
The rise of encrypted HTTPS connections on the web have improved
things, but people could still see which websites you were connecting to
and view the content of HTTP pages.
WPA3 fixes things by using “individualized data encryption”. When you
connect to an open Wi-Fi network, the traffic between your device and
the Wi-Fi access point will be encrypted, even though you didn’t enter a
passphrase at the time of connection. This will make public, open Wi-Fi
networks much more private. This is going to affect Hackers greatly. Recently, I was thinking of programming my own Network Hacking Toolkit (which will me available on GitHub) and am stuck at programming a MAC address changer. It may seem very easy but it isn't!. The next phase was implementing a network spoofer where I can see all the communications happening through the network to which I am connected. This was very easy till now and will be easy for some more time until the devices implement WPA3. Yes, this made harder for Hackers to spy on networks..
Protection against attacks (Bruteforce and KRACK): The KRACK attack hacked the key at the time of handshake between router and victim. Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network in WPA3. A variation of the so-called dragonfly handshake that
uses cryptography to prevent an eavesdropper guessing a password,
SAE dictates exactly how a new device, or user, should “greet” a network
router when they exchange cryptographic keys.
Here's the past. WPA2 used PSK method - a 4 way handshake method when connecting to devices. It seemed secure until the attack known as KRACK came into existence. A KRACK interrupts the series of handshakes by pretending to temporarily
lose the connection to the router. In actuality, it is using the
repeated connection opportunities to analyze the handshakes until
it pieces together what the password must be.
SAE blocks this kind of
attack, as well as more common offline dictionary attacks, where a
computer churns through hundreds, thousands, or millions of passwords to
determine which password matches the verification information provided
by the PSK handshakes.
Easier connection for IoT devices: The world has changed a lot in fourteen years. Today, it’s common to see
Wi-Fi enabled devices without displays. Everything from the Amazon Echo and Google Home to smart outlets and light bulbs can connect to a Wi-Fi network. Every time you want to connect to such devices, you need to open up your android device (controller), disconnect the home network and connect to the IoT device network.
WPA3 contains a feature called "Easy Connect". Now, rather than enter passwords every time you want to add something to your network, devices will have unique QR codes—each
device’s code will function as a sort of public key. To add a device,
you scan the code using a smartphone already connected to the network.
Higher Security for Defense Applications: The final feature isn’t something that home users will care about, but
the Wi-Fi Alliance also announced WPA3 will include a “192-bit security
suite, aligned with the Commercial National Security Algorithm (CNSA)
Suite from the Committee on National Security Systems”. It’s intended
for government, defense, and industrial applications.
The Committee on National Security Systems (CNSS) is part of the US
National Security Agency, so this change adds a feature requested by the
US government to allow stronger encryption on critical Wi-Fi networks.
When will you get the Update?
According to the Wi-Fi Alliance, devices supporting WPA3 will be
released later in 2018. Qualcomm is already making chips for phones and
tablets that supports WPA3, but it’ll take a while for them to be
integrated into new devices.
The Wi-FI Alliance hasn’t announced anything about existing devices
receiving WPA3 support yet, but we don’t expect that many devices will
receive software or firmware updates to support WPA3. Device
manufacturers could theoretically create software updates that add these
features to existing routers and other Wi-Fi devices, but they’d have
to go through the trouble of applying for and receiving WPA3
certification for their existing hardware before rolling out the update.
Most manufacturers will likely spend their resources on developing new
hardware devices instead.
Even when you get a WPA3-enabled router, you’ll need WPA3-compatible client devices—your laptop, phone, and anything else that connects to Wi-Fi—to fully take advantage of these new features. This seems a kind of bad news, as you have to upgrade your hardware and software of buy a new one to get WPA3 working. But he good news is that the same router can accept both WPA2 and WPA3 connections at the same time. Hence, you can still use WPA2 after the release of WPA3.
