Light Dark
July 16, 2018 By Grant Gross 3 min read

A new wireless protocol promises to improve Wi-Fi security significantly, but the changes won’t be immediate.

The Wi-Fi Alliance released the Wi-Fi Protected Access (WPA3) security protocol in June 2018, an update to the 14-year-old WPA2, in an effort to improve defenses in personal and enterprise networks.

But some experts expect the rollout of WPA3 to take years because the organization will need to certify routers to work with the new protocol.

Just How Long Will It Take to Roll Out WPA3?

When WPA2 became mandatory in March 2006, it took the agency about a year and a half to certify devices, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

“I expect adoption of WPA3 to take many months — even years,” Bilogorskiy said.

In some cases, current routers will be able to run WPA3 through software updates, meaning some organizations won’t need to buy new hardware. Bilogorskiy advised organizations and individual users to update their software as soon as possible and use a virtual private network (VPN) connection in addition to Wi-Fi in the meantime.

Consumer routers are less likely to accept the software update than enterprise routers. According to Sean Newman, director of product management at Corero Network Security, that means many old routers running WPA2 could continue to operate for years.

“The challenge is the long-tail of wireless devices which don’t support the new standard, which will likely propagate significant use of the current standard for three, four, five or even more years before organizations can even consider turning off access for that,” Newman explained.

Improving Wi-Fi Security for Individuals and Businesses

WPA3’s new features promise to help both individual users and enterprises improve Wi-Fi security. For example, WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) protocol to establish secure keys between devices, which helps protect individual users regardless of the strength of their Wi-Fi password. WPA3 also implements forward secrecy, a privacy feature that limits exposure in the event that a threat actor guesses the password.

“If an attacker steals an encrypted Wi-Fi transmission and then guesses the password, they will only be able to see information currently running through the network, not any older data,” Bilogorskiy explained.

For businesses, WPA3-Enterprise enables 192-bit encryption, while older versions used a 64-bit or 128-bit key. In addition, the new protocol offers simplified, secure connections for devices without screens, including smart speakers and other Internet of Things (IoT) devices.

But WPA3 won’t solve all of the IoT’s security problems. According to Newman, the simplified connection scheme will not protect individuals or enterprises from threats originating from compromised IoT devices, such as distributed denial of service (DDoS) attacks.

“The security of the devices themselves will also need to be improved significantly, not just the security of their Wi-Fi connection,” Newman said.

What’s Holding Up WPA3 Adoption?

Despite the security benefits of WPA3, some experts believe there is little urgency to make the switch because WPA2 is still a fairly robust security protocol.

Ian Sherlock, Wi-Fi product manager at Texas Instruments, noted that while WPA3 reflects “an industry desire to be proactive in enhancing Wi-Fi security,” many wireless users will likely wait for the release of the 802.11ax physical layer standard to adopt WPA3. The 802.11ax standard is designed to alleviate congestion and deliver faster Wi-Fi speeds on public networks and other high-bandwidth users, and many new routers will integrate support for both this standard and WPA3.

“WPA3 is expected to be a prerequisite for products supporting 802.11ax, and so that will provide a seamless migration point,” he said.

Wi-Fi operators can take other steps to protect their networks, including investing in security solutions and regularly checking the technology infrastructure for misconfigurations.

“I don’t think anyone needs to be rushing out to buy WPA3-enabled routers just yet,” said Craig Young, computer security researcher at Tripwire. “Anyone looking to improve their wireless security would be better off spending the time to install firmware updates and review configurations.”

Why You Should Adopt WPA3 Sooner Rather Than Later

Bilgorskiy noted that car manufacturers and IoT device makers should be the first companies to move to WPA3, since attacks against these technologies could result in particularly serious consequences. Think of what might happen, for example, if threat actors managed to take control of connected medical devices. Government and defense organizations should also move quickly given the criticality of their systems, Newman said.

“It makes sense to upgrade as soon as possible to benefit from WPA3 improvements,” Newman said, “but, as its use also depends on the connecting devices supporting it, it will likely be months — or even years — before there is a significant enough proportion of those devices for the benefits to be realized.”

Still, organizations should consider adopting the standard sooner rather than later.

“As with all network security, the hackers are constantly innovating and enhancing their abilities to compromise or bypass existing protections,” Newman said. “Combine this with their access to ever-increasing processor power, and the likelihood of hackers being able to readily crack the encryption and other security measures of older standards increases correspondingly.”

 |  |  |  |  |  | 
Grant Gross
Writer

More from

May 7, 2024

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature