There are more Wi-Fi devices in active use around the world—roughly 9 billion—than there are human beings. That ubiquity makes protecting Wi-Fi from hackers one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.
It’ll take time before you can enjoy the full benefits of WPA3; the Wi-Fi Alliance, a trade group that oversees the standard, is releasing full details today but doesn’t expect broad implementation until late 2019 at the earliest. In the course that WPA3 charts for Wi-Fi, though, security experts see critical, long-overdue improvements to a technology you use more than almost any other.
“If you ask virtually any security person, they’ll say don’t use Wi-Fi, or if you do, immediately throw a VPN connection on top of it,” says Bob Rudis, chief data officer at security firm Rapid 7. “Now, Wi-Fi becomes something where we can say hey, if the place you’re going to uses WPA3 and your device uses WPA3, you can pretty much use Wi-Fi in that location.”
Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.
A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary—and beyond—in relatively short order.
“Let’s say that I’m trying to communicate with somebody, and you want to be able to eavesdrop on what we’re saying. In an offline attack, you can either passively stand there and capture an exchange, or maybe interact with me once. And then you can leave, you can go somewhere else, you can spin up a bunch of cloud computing services and you can try a brute-force dictionary attack without ever interacting with me again, until you figure out my password,” says Kevin Robinson, a Wi-Fi Alliance executive.
This kind of attack does have limitations. “If you pick a password that’s 16 characters or 30 characters in length, there’s just no way, we’re just not going to crack it,” says Joshua Wright, a senior technical analyst with information security company Counter Hack. Chances are, though, you didn’t pick that kind of password. “The problem is really consumers who don’t know better, where their home password is their first initial and the name of their favorite car.”
If that sounds familiar, please change your password immediately. In the meantime, WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure—and widely vetted—Simultaneous Authentication of Equals handshake.
There are plenty of technical differences, but the upshot for you is twofold. First, those dictionary attacks? They’re essentially done. “In this new scenario, every single time that you want to take a guess at the password, to try to get into the conversation, you have to interact with me,” says Robinson. “You get one guess each time.” Which means that even if you use your pet’s name as your Wi-Fi password, hackers will be much less likely to take the time to crack it.
The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.
When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today—Wi-Fi Protected Setup—has had known vulnerabilities since 2011. WPA3 provides a fix.
Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you’re set—they’re securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.
“Right now it’s really hard to deploy IoT things fairly securely. The reality is they have no screen, they have no display,” says Rudis. Wi-Fi Easy Connect obviates that issue. “With WPA3, it’s automatically connecting to a secure, closed network. And it’s going to have the ability to lock in those credentials so that it’s a lot easier to get a lot more IoT devices rolled out in a secure manner.”
Here again, Wi-Fi Easy Connect’s neatest trick is in its ease of use. It’s not just safe; it’s impossible to screw up.
That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You’ve probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That’s because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.
“By default, WPA3 is going to be fully encrypted from the minute that you begin to do anything with regards to getting on the wireless network,” according to Rudis. “That’s fundamentally huge.”
As with the password protections, WPA3’s expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.
“The heart is in the right place, but it doesn’t stop the attack,” says Wright. “It’s a partial solution. My concern is that consumers think they have this automatic encryption mechanism because of WPA3, but it’s not guaranteed. An attacker can impersonate the access point, and then turn that feature off.”
Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3’s many upgrades, the entire ecosystem needs to embrace it.
That’ll happen in time, just as it did with WPA2. And the Wi-Fi Alliance’s Robinson says that backward interoperability with WPA2 will ensure that some added security benefits will be available as soon as the devices themselves are. “Even at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect,” Robinson says.
Lurking inside that assurance, though, is the reality that WPA3 will come at a literal cost. “The gotcha is that everyone’s got to buy a new everything,” says Rudis. “But at least it’s setting the framework for a much more secure setup than what we’ve got now.”
Just as importantly, that framework mostly relies on solutions that security researchers already have had a chance to poke and prod for holes. That hasn’t always been the case.
“Five years ago the Wi-Fi Alliance was creating its own protocols in secrecy, not disclosing the details, and then it turns out some of them have problems,” says Wright. “Now, they’re more adopting known and tested and vetted protocols that we have a lot more confidence in, and they’re not trying to hide the details of the system.”
Which makes sense. When you’re securing one of the most widely used technologies on Earth, you don’t want to leave anything to chance.