In October 2017 security researchers published the details of a major weakness in the WPA2 WiFi protocol, called the Key Reinstallation AttaCK or KRACK. This allowed attackers to track traffic between devices and the router or access point. The security researchers noted that the “attack works against all modern protected WiFi networks”. As a result, many manufacturers released a patch that fixed this error. But still the WPA2 image and reputation was damaged and that is one of the reasons why the WiFi Alliance released the new WPA3 encryption.
Before looking at WPA3, it’s worth going back in time and examining the development of WiFi encryption. One of the first encryptions was WEP (Wired Equivalent Privacy). WEP could easily be broken by capturing packages intercepted in the air.
After this security flaw, the WPA protocol (Wi-Fi Protected Access) was created. Later WPA2 emerged with improvements in the encryption, and implementations such as the AES (Advanced Encryption Standard) that has the 48 bits of inherited encryption from the WPA plus the 128 bits of the new protocol. These improvements made it very safe. However, with the recently known errors, it is possible to violate it.
Here is a detail of the attacks that can be made to each of the encryptions:
- ARP Request Replay Attack
- Caffe-latte (so-called because the attack takes the same amount of time as it takes to make a coffee)
- P0841 attack
- Passive capture
- Brute Force (Dictionary / Combination of characters)
- Evil Twin Attack
- WPA with WPS
- Pin brute force
Changes of WPA3
This new encryption will have four new features, and will offer more robust protection to end users and companies. These four key characteristics are:
- Allow users to choose their own passwords even if they are not secure (but will still deliver protection against “dictionary” attacks)
- Simplify the configuration process
- Help strengthen the privacy of users in open networks, encrypting individualized data. This will be particularly helpful when using open networks, such as those we find in coffee shops or at airports.
- It will have a 192-bit security suite
Why is it more robust than WPA2?
In WPA2 networks, a handshake system was used when a device was connected to a wireless access point. This handshake can be stolen and subjected to a brute force attack, until the key is obtained. WPA3 offers a much more robust handshake that cannot be subject to brute force attacks.
When will I have WPA3 on my router?
The routers with this new encryption are already being marketed, but this does not mean that our home devices will have this encryption by magic; manufacturers are working on software updates so that we can implement them in our devices.
Most routers have a tab to upload new firmware and update them. In this case the manufacturers will be removing these security patches so that we can update our routers without needing to buy a new one.