A new wireless standard is required
In a matter of very few years, the internet has amalgamated itself as a very powerful platform that has changed the way we communicate with each other, do business and the way we operate. Internet has fast become the universal source of information for millions of people- at home, school or at work. However, the means by which these millions of people are connected to the internet (if they’re connected wirelessly) is inherently insecure. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. But do these protocols ensure complete security? The Answer is no. There exist a host of tools available for cybersecurity testers, which with a little application can easily be used for ill.
WPA and WPA2 are old technologies and have been around for close to 15 years now. Clearly, these are susceptible to attack with various loopholes and are fairly easy to crack into.
WPA and WPA2 is vulnerable to attacks
There are various vulnerabilities with respect to WPA2. The primary security vulnerability however obscure, is serious. It requires the attacker to already have access to the secured Wi-Fi network to gain access to certain keys and then perpetuate an attack against other devices on the network. The security implications of the known WPA2 vulnerabilities are susceptible almost entirely to enterprise level network security which is very risky for the enterprises.
The biggest vulnerability in WPA armour—the attack vector through the Wi-Fi Protected Setup (WPS) still remains unresolved in modern WPA2. Although breaking into a WPA/WPA2 secured network using this vulnerability requires anywhere from 2-14 hours of sustained effort with a modern computer, it is still a legitimate security concern. That’s not all, if you may recall, there was a serious weakness discovered in WPA2 networks last year which put the once-trusted security standard into a precarious position.
The security flaw was dubbed KRACK. (Key Reinstallation Attack) Krack vulnerability directly affected Wi-Fi protocol and not a specific product or implementation. It targeted the third step in a four-way authentication "handshake" performed when a WI-FI client attempts to connect to a protected network and allowed an attacker to intercept data from a nearby Wi-Fi network, including passwords, photos, credit card information, private messages, emails and web activity. Basically, anything that's normally protected and encrypted by the WPA2 standard.
The KRACK attack put the security of the WPA2 standard itself in question, a huge question about security arose. Any new improvements to better the security aspects? A new standard in question? The questions remained unanswered until Wi-Fi Alliance, the non-profit body that defines and promotes the standards of Wi-Fi technology, recently unveiled the new WPA3 Wi-Fi security standard at CES in Las Vegas.
Building on the security advantages of WPA2, WPA3 was designed to not only eliminate KRACK-style attacks, but to also reduce the potential for weaknesses brought by bad configurations and weak passwords. WPA3 also aims to protect managed networks with a more centralized authentication system.
Since WPA3 is an entirely new standard and is meant to replace WPA2, users may have to buy new "WPA3 certified" equipment to take advantage of it.
New WPA3 security enhancements as announced by WiFi alliance:
There are four main enhancements to the WPA3 standard.
1. “Robust protection against weak passwords.”
This enhancement is aimed for people who use weak passwords (for example, “password”), as well as aimed at protection against what are known as dictionary attacks or brute force attacks that can lock out a device after a number of unsuccessful attempts. This new feature in WPA3 aims to protect your network even when you decide to use a weak Wi-Fi password.
2. “Simplification of configuration process”
WPA3 aims to simplify the configuration process and to do that, it offers security for devices with limited display interfaces. This will prove to be ideal for sensors and Internet of Things’ devices. With simplification of configuration, you will now be able to tap a smartphone against a device or sensor and then provision the device onto the network.
3. “Individualised encryption for open networks”
This enhancement is specifically for public networks or open Wi-Fi networks, such as, restaurants, stores and coffee shops. WPA3 device will provide users with individualized data encryption eliminating the need to configure a network password. This will prove to be a big privacy boost for open and public networks considering that, connected users won't be able to read each other's data once enabled.
4. “Compliance with CNSA”
Finally, WPA3 aims to deliver strong and robust security for government, defence, and industrial networks by complying with the Commercial National Security Algorithm (CNSA) Suite. CNSA is a 192-bit security protocol mandatory for secure networks. Encryption in WPA3 will be further strengthened with a 192-bit security suite.
Read the official announcement about WPA3 here