The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security.
The alliance announced the Wi-Fi Protected Access 3 (WPA3), a new standard of Wi-Fi security that greatly increases the security capabilities of the wireless standard. WPA2, which is the current standard in wireless security, has been around for 14 years, so this is way overdue.
The update can’t come to market fast enough. Last fall, a major vulnerability in WPA2 and WPA called KRACK — for Key Reinstallation Attack — came to light. KRACK could allow attackers to snoop on encrypted data being transferred between computers and wireless access points.
4 enhancements in WPA3
There are four main enhancements to the standard, but the Alliance did not divulge technical details on how these will be implemented. The first is “robust protections” for people who use weak passwords, as well as protection against what are known as dictionary attacks to try and brute force the password.
Second, WPA3 aims to simplify the configuration process and security for devices with limited display interfaces. This will be ideal for sensors and Internet of Things (IoT) devices. You will be able to tap a smartphone against a device or sensor and then provision the device onto the network.
The third improvement is specifically for open Wi-Fi networks, such as those found in stores, restaurants, and coffee shops. WPA3 device will give every user individualized data encryption without the need to configure a network password. Again, details are lacking, but it should help allay some fears about employees working at a Starbucks.
Finally, WPA3 aims to deliver stronger security for government, defense, and industrial networks by complying with the Commercial National Security Algorithm (CNSA) Suite. CNSA is a 192-bit security protocol mandated for secure networks.
The Alliance expects products to ship later this year, and since its members include Apple, Cisco, Microsoft, and Qualcomm, they would know.
Update long due
WPA2 is the standard for security, and it isn’t terribly secure. You have KRACK, DEAUTH, and the general weakness of access points. Yet this is the standard for securing everything from your corporate network to the IoT.
It’s a darn shame it took this long to update. But as USB has proven, if you want to get nothing done, turn it over to an industry consortium. That’s where standards go to die because everyone wants their IP used so they make money off every sale. The end result is nothing gets done.