WPA3 Protection is Not Enough

If you been following the wireless news, the big announcement last week was about a new protection protocol called WPA3 for WiFi that is going to be a huge leap forward for security on WiFi networks.  If you haven’t been following the big announcement, you’re in luck – because this will catch you up.

What is WP3?

WPA3 is the third generation of wireless protection for WiFi routers.  WPA stands or Wi-Fi Protected Access. It’s the protocol and encryption that protects the wireless communication between your laptop or phone to the WiFi router.  Without it, anyone within the distance of your WiFi router can see what you are doing on the Internet.  So it’s really important to keep that communication protected. Unfortunately, hackers have found ways to break this.  The original protection was called WEP (Wired Equivalent Privacy). It was quickly hacked due to the use of a static key and the first generation of WPA followed that was also hacked and WPA2 became the standard.  WiFi users have enjoyed pretty good protection ever since. Well… until last year when a new method called KRACK (Key Reinstallation AttACK) became known and demonstrated that WPA2 can also be compromised.  Companies such as ourselves have provided patches to plug this new crack in the WPA armor (pun intended), but there may be other vulnerabilities that can be exposed since the standard is more than 15 years old by now.

Luckily, the wizards at the WiFi Alliance (sounds like a group out of Star Wars) have been working on a new protection standard called WPA3.  They have known all along that WPA2 will not be enough with the runaway success of WiFi. Everything is now WiFi connected, from toothbrushes to refrigerators. So what does WPA3 do?  There are four areas of improvement over the existing WPA2:

• First, the new protocol prevents brute force guessing of WiFi passwords by requiring additional action when a wrong password is used.
• Second, each client now gets their very own master key to generate the encryption hash. So even if a hacker does get your WiFi password, they still can’t recreate the key that you use to communicate with the WiFi router.
• Third, governments and companies can now use 192-bit encryption in enterprise mode. Those extra bits makes it a lot harder to break the encryption.
• Finally, there is an additional bootstrapping mode for all those connected gadgets that lack screens or keypads. Now they can use a smartphone to configure the SSID and password. This bootstrapping mode can be initiated with a public key transmitted in a QR code, NFC, or Bluetooth from the gadget.  Practically, you can use a smartphone to scan the QR code label on the gadget and have it configured to work with the WiFi router that supports WPA3.

WPA3 is Not Enough

Now back to my contention that WPA3 is not enough – not because it’s not secure. WPA3 looks to be a great solution for years to come.  It’s not enough because hackers are using other methods to attack the WiFi network. The recent VPNFilter virus doesn’t take advantage of any of the WPA2 shortcomings.  Instead, the attack is targeting known vulnerabilities in the WiFi routers’ web interface, remote ports that are open with hard-coded passwords, software that is not updated, and vulnerable connected IoT devices.  WPA3 fixed none of these security issues.   Don’t get me wrong. WPA3 is great to have, but in a communication system, there are multiple layers and WPA3 only secures the basic wireless physical layer.   To ensure better security, we also need to secure the networking layers and the application layer. Tradition anti-virus software has been understood to handle the application layer protection and it’s done a decent job.  But with the explosion of connected devices in the homes and businesses, network layer protection is severely lacking in the industry.  The traditional routers let all traffic in and out with no regard if the traffic is malicious.  For devices like connected thermostats and smart TVs, there is no way to install anti-virus software.  All these devices are little computing devices mostly running a version of Linux OS that can do great damage when used by a nefarious hacker.   Any compromised device compromises the entire network.   Because of this, network layer protection is not only a sensible layer of protection but more critical than ever as we add ever more connected gadgets in our homes.   Hence, WPA3 is just not enough.  But do upgrade when available…

About the Author

John Wu (Twitter: @johnwu71) is one of the inventors of the MiFi intelligent mobile hotspot and CEO and co-founder of Gryphon Online Safety, a company dedicated to protecting the connected family with Gryphon, the world’s first mesh WiFi router that uses machine learning to block malware from entering your network and protect kids from inappropriate content online.   Learn more about Gryphon at www.gryphonconnect.com