There’s been a fair amount of buzz around WPA3 since the Wi-Fi Alliance announced a new suite of security enhancements would be introduced for wireless client devices “later” in 2018.
You don’t have to search very hard to find pretty much the same coverage of the news across endless media outlets. The WPA3 announcement rather vaguely promises to bolster Wi-Fi security, mostly for consumer-grade Wi-Fi networks, by the following enhancements:
- Individualized data encryption: This feature will somehow provide security for users of now-open non-password protected public networks.
- Stronger encryption: Supposedly asked for by the US government, the addition of 192-bit encryption based on the Commercial National Security Algorithm (CNSA).
- IoT no-display devices: Right now, if I need to get a gadget like a Wi-Fi lightbulb onto my network, I need to use an app on my mobile device as middleware of sorts. WPA3 promises some undisclosed new and better method of getting these devices on to the WLAN.
- New protection when weak passwords are in use: If your network is set up with a wimpy password, somehow WPA3 promises to strengthen the ability to defend against attacks that target weak passwords.
This all sounds great at first pass. But as a 20-year veteran of the WLAN industry, I’m a little skeptical on a number of points. I’m not saying WPA3 won’t be good for the greater wireless landscape once more details emerge, but I think there are concerns that come along with WPA3.
The devil is in the details
Right now, we’re all in wait-and-see mode. The WPA3 feature set in some ways sounds too good to be true, and it will probably amount to that for many existing devices.
There’s a good bet that a huge swath of existing devices on both the router/access point and the client sides won’t be able to support WPA3, so hardware may need to be upgraded to get the new functionality. On the one hand, a phase-in period doesn’t seem unreasonable. But this is where we need to pause and consider the current state of the wireless client device space.
Quite frankly, this space has never been more fragmented when it comes to what features are supported by specific client devices. The same WLAN Alliance that’s bringing us WPA3 has also left far too much in the way of “interoperability” to its member organizations, and each one of those member organizations is in the game for sales and profit.
The point? WPA3—at least for a significant period of time—will mean an already feature-fragmented client device space will only get messier.
Another aspect of WPA3 that doesn’t quite sit square with me is that the Wi-Fi Alliance has opted to focus on improving consumer-grade security, rather than trying to reconcile the fact that so many consumer gadgets are making their way into business WLAN environments.
In enterprise Wi-Fi, 802.1X security is the preference. Yet the Wi-Fi Alliance is doing little to close the gap between consumer and enterprise, and in some ways WPA3 only exasperates this situation by hyping itself as a cure for a range of security issues while leaving old issues unaddressed.
Finally, at the risk of revealing myself to be a bit of a conspiracy theorist, I’m not so sure the Commercial National Security Algorithm (CNSA) isn’t a backdoor for government eavesdropping. There’s just too much afoot in this regard right now to ignore the possibility.
If CNSA is some sort of backdoor that only the government can leverage, and if it also increases the general effectiveness of Wi-Fi security as well, so be it. (Call me a kook on this if you’d like—I can take it.)
We just don’t know what we don’t know
Despite my less than warm assessment of WPA3, I’m actually hopeful that something good, practical, and achievable comes of it. Without details, it’s hard to know which parts of WPA3 are most likely to succeed.
It’s worth remembering that not so long ago, Hotspot 2.0 was the great hope for securing public Wi-Fi, and it really didn’t go very far. Hopefully WPA3 does better.
As for IoT devices, I’d like to think WPA3 might offer some hope for a brighter security future here—but not at the expense of making enterprise WLAN environments where IoT devices are used even messier than they are now.
Maybe if the Wi-Fi Alliance had offered more than promises with their WPA3 announcement, it would be easier to get a little more excited about it.