Introducing WPA3, And How to Improve Wi-Fi Security
Love it or hate it, IT departments cannot prevent users from engaging with Wi-Fi networks; the convenience factor is simply too high. The IT security risks are real, however, whether your users are roaming – or using Wi-Fi where you have some control over internet security, such as the office space. It is also an evolving threat, with the gold standard of Wi-Fi security, WPA2, losing its shine. In this article, we discuss the next generation of Wi-Fi security, WPA3, and the measures you should currently be taking to boost your company’s Wi-Fi security.
Most IT security measures succumb to security flaws over time, and this has been the case for WPA2 as well. In major news towards the end of 2017, a critical flaw in WPA2 came to light. Using a technique called key reinstallation attack hackers were able to bypass security measures on WPA2 networks, which were previously seen as highly protective. Though patches are now widely available, it served to underline that WPA2 needs work.
WPA3, announced on 8 January 2018, aims to make WPA2 more robust and to adapt to the changes in the way Wi-Fi is used – including improving the ability to serve IoT devices with no screens. The exact details have not been published, but the Wi-Fi Alliance has suggested that four areas will see particular attention. These are:
Cellular data remains expensive, and public Wi-Fi is often just more convenient anyway. Yet many public Wi-Fi hotspots transmit data with no encryption whatsoever. Though websites are increasingly operating under SSL, it is still inadvisable to transmit data over an internet connection that is susceptible to eavesdropping. WPA3 intends on enabling individualized data encryption for Wi-Fi hotspots. That way, every user can enjoy their own encrypted data channel when they connect to a hotspot, removing the opportunity for eavesdropping.
Wi-Fi passwords can be cracked via brute force, where an intruder simply keeps trying to access a network by attempting passwords in a password dictionary. Teaching users to make use of unique and complex passwords as part of an IT security regime has never been easy, and WPA3 plans to make this less of an issue. With WPA3, repeated login attempts will be blocked, eliminating the opportunity for guessing a password by brute force.
Connectivity for devices without displays
How do you connect a device to a secure Wi-Fi network requiring a password when the device has no display? WPA3 plans to fix or at least improve this knotty IT security problem, but the details are scant at the moment. One option that has been voiced is that WPA3 will allow you to use a smartphone or laptop to configure security for an IoT device.
Optional 192-bit security
WPA3 will enable 192-bit encryption for networks and applications that are very sensitive, such as defence and government networks. This 192-bit capability will be aligned with the Commercial National Security Algorithm (CNSA) suite and will be of value where data security is of critical importance, and where potential attackers will be well-resourced and determined.
Wi-Fi security requires active management
WPA3 will move to improve many current issues, but it will be some time before Wi-Fi networks are broadly WPA3 compliant. Ongoing active management of Wi-Fi security is crucial, both before WPA3 – and after its implementation. It is worth looking at Wi-Fi security from two perspectives: the security employed on networks under your control, and the risks your users face when they roam on networks outside of your control.
When your users are on the road
Anyone with some knowledge of Wi-Fi vulnerabilities, such as an IT security officer or IT manager, will by default operate safely when roaming on public Wi-Fi networks. The same cannot be said for the average user, and off-site Wi-Fi security is mainly a user education issue. Points to address include:
- Using a VPN. An encrypted VPN tunnel will effectively prevent snooping, so your user won’t be reliant on functioning encryption on website and email servers for protection. It is the most important step to take when using public Wi-Fi.
- Bogus Wi-Fi. Users should be vigilant and not log in to any available Wi-Fi network. However, disguises can be clever and users cannot realistically be expected to distinguish between an SSID that states HotelWiFi and an SSID that states Hotel_WiFi, which is why VPN use is so important.
- File sharing and AirDrop. Any user using public Wi-Fi should disable file sharing on their Windows and MacOS device. Depending on your office IT infrastructure this may be tedious, but it is an important concern.
Security for in-office Wi-Fi
The ever-convenient Wi-Fi available in your office can be a real internet security risk and great care should be taken to eliminate the opportunity for successful intrusion. Wi-Fi network security is a complex topic, but it is important that at least some protective measures are taken, including:
- WPA2 enterprise mode. The enterprise mode of WPA2 is an invaluable protective measure as it forces every user to authenticate individually. There is a setup hurdle involved due to the need for a directory service, but companies simply cannot afford to connect single-password, personal-mode Wi-Fi access points to their networks.
- Physical security. Be cognizant of physical security too, exposed reset buttons on access points and unblocked Ethernet ports are risks that can easily be mitigated.
- Firmware. Internet security is very dependent on keeping the firmware up to date. For example, the recently discovered WPA2 flaw can and will be patched by many vendors, but in many cases, those patches need to be manually installed. This step should not be ignored.
WPA3 is set to provide fixes for many of the flaws in WPA2, reducing the huge security risk posed by Wi-Fi networks. With Norton’s 2017 Wi-Fi risk report suggesting that 60% of consumers feel that their personal information is secure when using a public Wi-Fi network, it is clear that pro-active measures are required to ensure security. WPA3 will go a long way, but IT managers and security experts need to play their part too.