A new wireless protocol promises to improve Wi-Fi security significantly, but the changes won’t be immediate.
The Wi-Fi Alliance released the Wi-Fi Protected Access (WPA3) security protocol in June 2018, an update to the 14-year-old WPA2, in an effort to improve defenses in personal and enterprise networks.
But some experts expect the rollout of WPA3 to take years because the organization will need to certify routers to work with the new protocol.
Just How Long Will It Take to Roll Out WPA3?
When WPA2 became mandatory in March 2006, it took the agency about a year and a half to certify devices, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
“I expect adoption of WPA3 to take many months — even years,” Bilogorskiy said.
In some cases, current routers will be able to run WPA3 through software updates, meaning some organizations won’t need to buy new hardware. Bilogorskiy advised organizations and individual users to update their software as soon as possible and use a virtual private network (VPN) connection in addition to Wi-Fi in the meantime.
Consumer routers are less likely to accept the software update than enterprise routers. According to Sean Newman, director of product management at Corero Network Security, that means many old routers running WPA2 could continue to operate for years.
“The challenge is the long-tail of wireless devices which don’t support the new standard, which will likely propagate significant use of the current standard for three, four, five or even more years before organizations can even consider turning off access for that,” Newman explained.
Improving Wi-Fi Security for Individuals and Businesses
WPA3’s new features promise to help both individual users and enterprises improve Wi-Fi security. For example, WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) protocol to establish secure keys between devices, which helps protect individual users regardless of the strength of their Wi-Fi password. WPA3 also implements forward secrecy, a privacy feature that limits exposure in the event that a threat actor guesses the password.
“If an attacker steals an encrypted Wi-Fi transmission and then guesses the password, they will only be able to see information currently running through the network, not any older data,” Bilogorskiy explained.
For businesses, WPA3-Enterprise enables 192-bit encryption, while older versions used a 64-bit or 128-bit key. In addition, the new protocol offers simplified, secure connections for devices without screens, including smart speakers and other Internet of Things (IoT) devices.
But WPA3 won’t solve all of the IoT’s security problems. According to Newman, the simplified connection scheme will not protect individuals or enterprises from threats originating from compromised IoT devices, such as distributed denial of service (DDoS) attacks.
“The security of the devices themselves will also need to be improved significantly, not just the security of their Wi-Fi connection,” Newman said.
What’s Holding Up WPA3 Adoption?
Despite the security benefits of WPA3, some experts believe there is little urgency to make the switch because WPA2 is still a fairly robust security protocol.
Ian Sherlock, Wi-Fi product manager at Texas Instruments, noted that while WPA3 reflects “an industry desire to be proactive in enhancing Wi-Fi security,” many wireless users will likely wait for the release of the 802.11ax physical layer standard to adopt WPA3. The 802.11ax standard is designed to alleviate congestion and deliver faster Wi-Fi speeds on public networks and other high-bandwidth users, and many new routers will integrate support for both this standard and WPA3.
“WPA3 is expected to be a prerequisite for products supporting 802.11ax, and so that will provide a seamless migration point,” he said.
Wi-Fi operators can take other steps to protect their networks, including investing in security solutions and regularly checking the technology infrastructure for misconfigurations.
“I don’t think anyone needs to be rushing out to buy WPA3-enabled routers just yet,” said Craig Young, computer security researcher at Tripwire. “Anyone looking to improve their wireless security would be better off spending the time to install firmware updates and review configurations.”
Why You Should Adopt WPA3 Sooner Rather Than Later
Bilgorskiy noted that car manufacturers and IoT device makers should be the first companies to move to WPA3, since attacks against these technologies could result in particularly serious consequences. Think of what might happen, for example, if threat actors managed to take control of connected medical devices. Government and defense organizations should also move quickly given the criticality of their systems, Newman said.
“It makes sense to upgrade as soon as possible to benefit from WPA3 improvements,” Newman said, “but, as its use also depends on the connecting devices supporting it, it will likely be months — or even years — before there is a significant enough proportion of those devices for the benefits to be realized.”
Still, organizations should consider adopting the standard sooner rather than later.
“As with all network security, the hackers are constantly innovating and enhancing their abilities to compromise or bypass existing protections,” Newman said. “Combine this with their access to ever-increasing processor power, and the likelihood of hackers being able to readily crack the encryption and other security measures of older standards increases correspondingly.”