This week, Qualcomm announced that it would integrate WPA3 across its portfolio of mobile and networking products, including chipsets for routers, smartphones, tablets, and PCs. It’s the newest security suite from the Wi-Fi Alliance, the nonprofit organization that certifies Wi-Fi networking standards, and it’s the successor to WPA2, the security protocol compromised by the notorious Key Reinstallation Attack (KRACK) uncovered late last year.
But what does WPA3 mean in the context of home and public networks, and why is it important? Here’s everything you need to know.
What is WPA?
WPA, an acronym for Wi-Fi Protected Access, authenticates devices with a pre-shared cryptographic cipher using the Advanced Encryption Standard (AES) protocol. Specifically, it employs a four-way handshake to prevent eavesdroppers from snooping on traffic passing between a Wi-Fi access point (like a router) and a Wi-Fi client (like a smartphone or laptop). Encryption prevents man-in-the-middle attacks that attempt to intercept data in transfer.
But WPA2 isn’t perfect. Last October, security researchers uncovered KRACK, a vulnerability that interferes with the initial handshake between a device and Wi-Fi router in such a way that attackers can see, decrypt, and even manipulate data on the network.
Most newer phones, laptops, and Wi-Fi routers have received firmware updates containing patches for the KRACK exploit, but older devices are beholden to the whims of manufacturers. Some may never see a fix.
Enter the Wi-Fi Alliance’s solution: a new, modern protocol called WPA3.
Improved security for Internet of Things devices
Smart bulbs, wireless appliances, smart speakers, and other screen-free gadgets make everyday tasks just a little bit easier, but connecting them to Wi-Fi can be a Sisyphean task. WPA3 streamlines the process.
The Wi-Fi Alliance hasn’t outlined the specifics yet, but WPA3 is expected to support a one-touch setup system that’ll make devices without screens (think Internet of Things devices and smart speakers like Google Home and Amazon’s Echo) easier to connect. It’ll likely be akin to the existing Wi-Fi Protected Setup protocol, which involves pushing a button on the router to connect a device.
WPA3 supports a much stronger encryption algorithm than WPA2 — albeit one intended for industrial, defense, and government applications rather than homes and offices. Specifically, it includes a 192-bit security suite that’s aligned with the Commercial National Security Algorithm (CNSA) Suite, a feature requested by the Committee on National Security Systems (CNSS), a part of the U.S. National Security Agency.
Protection against brute force “dictionary” attacks
WPA3 implements a robust handshake that isn’t vulnerable to exploits like KRACK. It’s called the Dragonfly protocol (also referred to as the Simultaneous Authentication of Equals), and it hardens security at the time when the network key is exchanged between a device and the access point.
WPA3 also imposes strict limits on the number of times users can guess a network’s password. That means even networks with weak passcodes are much less likely to succumb to a dictionary attack, a brute force method that uses a list of common words, number combinations, and phrases to generate all possible passwords.
Secure public Wi-Fi
If you’re wary of connecting to public hotspots in coffee shops and airports, you’ll be pleased to hear that the Wi-Fi Alliance is introducing Opportunistic Wireless Encryption (OWE), or individualized data encryption, which encrypts every connection between a device and the router with a unique key. Even if the access point doesn’t require a password, your device’s data won’t be exposed to the wider network.
When will WPA3 hit the mainstream?
As Qualcomm noted in its press release this week, it’s the first company to announce the implementation of WPA3. The company says it’ll incorporate support into its flagship system-on-chips for smartphones, the Snapdragon 845, in June, with Qualcomm’s Access Point platforms to follow in July.
According to the Wi-Fi Alliance, new devices supporting WPA3 will be released later in 2018, many of which will likely be announced at Computex in June. Manufacturers have to submit devices for approval, and those that pass muster receive a “Wi-Fi Certified WPA3” label.
WPA3-compatible clients are backward compatible with WPA2-compatible routers and vice versa, and WPA2 and WPA3 devices can coexist on the same network. However, legacy devices can’t take advantage of WPA3’s enhanced security protocols.