Wi-Fi Protocol update - WPA3 - More Security - Everything one needs to know

A new post after a long time.. Right! But do you know that this wait is much smaller than the wait of this new security release? WPA2 was introduced in 2004 and WPA3 is released two days ago. And this article will guide you about everything you should know about this new update. Don't worry if you don't know anything about the past, this will still be interesting.. Let's start.

In-Short: The Wi-Fi Alliance just announced WPA3 - a Wi-Fi security standard that will replace WPA2. Qualcomm has already started new making chips for phones and tablets which will support this WPA3, Cisco announced upcoming support that might even include updating existing devices to support it. And till now, every other company has announced their support to WPA3.

What is WPA2 and WPA3? 

“WPA” stands for Wi-Fi Protected Access. It is a methodology used to connect to and communicate with the Wireless Access Point. Now that it is implemented by everyone, the most important service that it should provide is "security". And that is the main reason why WPA3 is released.

If you have a password on your home Wi-Fi, it probably protects your network using WPA2—that’s version two of the Wi-Fi Protected Access standard. Does it mean that you are vulnerable using the old version? You might be if you haven't updated to latest software implementing a patch for the vulnerability known as KRACK which lies in WPA2. But this attack is not going to work in WPA3.

Technically, WPA2 and WPA3 are hardware certifications that device manufacturers must apply for. A device manufacturer must fully implement the required security features before being able to market their device as “Wi-Fi CERTIFIED™ WPA2™” or “Wi-Fi CERTIFIED™ WPA3™”.

What is new in WPA3?

WPA3 standard adds 4 new features to WPA2. Manufacturers must fully implement these four features to market their devices as “Wi-Fi CERTIFIED™ WPA3™”. The Wi-Fi Alliance group hasn't still revealed all the information about this standard, still we know what will it be.. (How? Reading past articles and and their official blog - then combining things together).

Privacy and Security on Public networks: Currently, open Wi-Fi networks, the kind you find in airports, hotels, coffee shops, and other public locations, are a security mess. Because they’re open and allow anyone to connect, traffic sent over them isn’t encrypted at all. It doesn’t matter whether you have to sign in on web page after you join the network - everything sent over the connection is sent in plain text that people can intercept. The rise of encrypted HTTPS connections on the web have improved things, but people could still see which websites you were connecting to and view the content of HTTP pages.

WPA3 fixes things by using “individualized data encryption”. When you connect to an open Wi-Fi network, the traffic between your device and the Wi-Fi access point will be encrypted, even though you didn’t enter a passphrase at the time of connection. This will make public, open Wi-Fi networks much more private. This is going to affect Hackers greatly. Recently, I was thinking of programming my own Network Hacking Toolkit (which will me available on GitHub) and am stuck at programming a MAC address changer. It may seem very easy but it isn't!. The next phase was implementing a network spoofer where I can see all the communications happening through the network to which I am connected. This was very easy till now and will be easy for some more time until the devices implement WPA3. Yes, this made harder for Hackers to spy on networks..

Protection against attacks (Bruteforce and KRACK): The KRACK attack hacked the key at the time of handshake between router and victim. Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network in WPA3. A variation of the so-called dragonfly handshake that uses cryptography to prevent an eavesdropper guessing a password, SAE dictates exactly how a new device, or user, should “greet” a network router when they exchange cryptographic keys.

Here's the past. WPA2 used PSK method - a 4 way handshake method when connecting to devices. It seemed secure until the attack known as KRACK came into existence. A KRACK interrupts the series of handshakes by pretending to temporarily lose the connection to the router. In actuality, it is using the repeated connection opportunities to analyze the handshakes until it pieces together what the password must be.

SAE blocks this kind of attack, as well as more common offline dictionary attacks, where a computer churns through hundreds, thousands, or millions of passwords to determine which password matches the verification information provided by the PSK handshakes.

Easier connection for IoT devices: The world has changed a lot in fourteen years. Today, it’s common to see Wi-Fi enabled devices without displays. Everything from the Amazon Echo and Google Home to smart outlets and light bulbs can connect to a Wi-Fi network. Every time you want to connect to such devices, you need to open up your android device (controller), disconnect the home network and connect to the IoT device network.

WPA3 contains a feature called "Easy Connect". Now, rather than enter passwords every time you want to add something to your network, devices will have unique QR codes—each device’s code will function as a sort of public key. To add a device, you scan the code using a smartphone already connected to the network.

Higher Security for Defense Applications: The final feature isn’t something that home users will care about, but the Wi-Fi Alliance also announced WPA3 will include a “192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems”. It’s intended for government, defense, and industrial applications.

The Committee on National Security Systems (CNSS) is part of the US National Security Agency, so this change adds a feature requested by the US government to allow stronger encryption on critical Wi-Fi networks.

When will you get the Update? 

According to the Wi-Fi Alliance, devices supporting WPA3 will be released later in 2018. Qualcomm is already making chips for phones and tablets that supports WPA3, but it’ll take a while for them to be integrated into new devices.

The Wi-FI Alliance hasn’t announced anything about existing devices receiving WPA3 support yet, but we don’t expect that many devices will receive software or firmware updates to support WPA3. Device manufacturers could theoretically create software updates that add these features to existing routers and other Wi-Fi devices, but they’d have to go through the trouble of applying for and receiving WPA3 certification for their existing hardware before rolling out the update. Most manufacturers will likely spend their resources on developing new hardware devices instead.

Even when you get a WPA3-enabled router, you’ll need WPA3-compatible client devices—your laptop, phone, and anything else that connects to Wi-Fi—to fully take advantage of these new features. This seems a kind of bad news, as you have to upgrade your hardware and software of buy a new one to get WPA3 working. But he good news is that the same router can accept both WPA2 and WPA3 connections at the same time. Hence, you can still use WPA2 after the release of WPA3.