CES 2018: Wi-Fi Alliance Previews New Industry-Wide WPA3 Security Standard

The Wi-Fi Alliance, backed by industry giants including Apple, Cisco, Intel and Microsoft, said this year will see the introduction of a new version of the WPA set of security technologies used in all Wi-Fi certified devices.

The launch of WPA3, announced in Las Vegas in conjunction with the CES consumer electronics show, follows last year’s disclosure of an attack called KRACK that affected devices using the protocol’s previous version, WPA2.

But the Wi-Fi certification body said it expects devices to continue using WPA2 “for the forseeable future”, even as the more secure standard begins to appear in new hardware.

While it didn’t disclose technical details, the group said WPA3 will include protections for networks with weak passwords and a feature making it easier for devices without screens, like locks or light bulbs, to be configured by gadgets such as smartphones or tablets.

Military-grade security

The standard is also to include individualised encryption for protecting privacy in open networks and a 192-bit security suite aligned with the Committee on National Security Systems’ Commercial National Security Algorithm (CNSA). The suite is aimed at users that require more robust security, such as those in government, the military and industry.

Mathy Vanhoef, the postdoctoral computer security researcher at Belgium’s KU Leuven who discovered the KRACK flaw, speculated the privacy-protecting encryption feature might refer to Opportunistic Wireless Encryption (OWE), a standard that doesn’t require authentication, but he said such protocols are “crutches” that can actually weaken security because users come to rely on them instead of opting for stronger techniques.

He said the protection for weak passwords appears to be a stronger handshake method such as the one known as “Dragonfly”, which is designed to be resistant to dictionary attacks – those in which the attacker repeatedly guesses likely passwords until the right one is found.

“Linux’s open source Wi-Fi client and access point already support the improved handshake,” Vanhoef wrote on Twitter. “It just isn’t used in practice. But hopefully that will change now.”

He noted that WPA3 should formalise the use of stronger security methods that are already in place on many networks.

“The standards behind WPA3 already existed for a while,” Vanhoef wrote. “But now devices are required to support them, otherwise they’re won’t receive the ‘WPA3-certified’ label.”

Do you know all about security? Try our quiz!