Wi-Fi Alliance just released the WPA3 protocol announcement. There are currently no specifications mentioned or given among it, it’s more ‘blah we are working on it’ but I anyway want to mention it because it was about time I think. WPA2 is not fundamentally broken but it has it’s known weaknesses.
The new standard of Wi-Fi security, which will be available for both personal and enterprise wireless devices later this year, offers improved security and privacy.
- WPA3 protocol strengthens user privacy in open networks through individualised data encryption.
- WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by using commonly used passwords.
- WPA3 protocol also offers simplified security for devices that often have no display for configuring security settings, i.e. IoT devices.
- Finally, there will be a 192-bit security suite for protecting WiFi users’ networks with higher security requirements, such as government, defence and industrial organisations.
Personally I think we definitely need some kind of mechanism to authenticate APs, right now we only have the SSID and MAC (filters), both of which are trivial to spoof. I’m not gonna say it’s easy but it’s weak against modern attacks.
There isn’t even any collision detection, nothing stopping you from giving your AP the same SSID as an already present AP, and clients will helpfully connect to whichever one has the strongest signal, which is probably going to be the rogue AP right next to you, rather than the actual Starbucks AP at the other end of the store. According to 802.11, APs with identical names are considered to be part of the same network, no questions asked.
I consider it a fundamental flaw of wifi, alongside the headache of WEP (“wired equivalent protection”), and the idiotic layout of channels in the 2.4GHz spectrum. The only way to use wifi as a consumer is with WPA2 (AES only, no TKIP) a randomly generated strong passkey, and all smart features turned way off (security holes such as WPS). For any AP that you haven’t personally set up and vetted, and especially open public APs, a VPN connection is absolutely mandatory.
Whatever, forgive me my rant, I see the possible changes and chances more positive than negative, let the old things die and replace it with something new and modern. Note that the IEEE controls the actual wireless specification as IEEE 802.11 and also specifies the actual encryption standards used during wireless transmission and reception, so I expect that it will take several months until we really see some specifications on the paper.
Only sad fact, you need to buy (again) new devices but I predict there aren’t expensive since I assume only the crypto system will be replaced – but that’s only my speculation.