TL;DR: Refer to our knowledge base article to learn more about WPA3.

On June 25, 2018, the Wi-Fi Alliance officially launched the third revision of Wireless Protection Access (WPA), WPA3 [1]. The purpose of WPA3 is to provide additional security and a better experience for users connecting to wireless network environments. This new revision replaces WPA2, which was released way back in 2004.

New Security Features Overview

WPA3 was released with two different variations that, both, include security enhancements – WPA3 Personal and WPA3 Enterprise.

WPA3 Personal

In summary, WPA3 Personal is tailored towards individual users and contains security enhancements to allow for additional protection and privacy on personal wireless network environments. Here are two of the security features included:

  • Better Password Selections – This will allow users to choose passwords that are easier to remember, but harder to guess. Weak passwords have always been a significant issue for end-users as they usually stick to those that are easy to remember and easy to guess.
  • Forward Secrecy – If an attacker compromises a password and authenticates to the wireless network, this feature aims to protect previously captured data during transmission even after the compromise. Essentially this means that if an attacker captures a lot of wireless traffic without authenticating and then successfully compromises the pre-shared key (PSK) use to authenticate, the attacker should not be able to then decrypt the previously captured traffic.

WPA3 Enterprise

WPA3 Enterprise is tailored towards businesses and also contains some additional security enhancements. Check these out:

  • Improved Encryption – Additional improvements have been made with regards to the encryption protocols and algorithms used within WPA3 wireless networks. The Wi-Fi Alliance states that WPA3 Enterprise networks offers an option mode using 192-bit-minimum-strength security protocols and cryptographic tools. These improved encryption methods provide better protection against sensitive/confidential data until malicious cryptography geniuses identify weaknesses at some point.
  • Wi-Fi Enhanced Open – This new security feature allows organizations to implement a secure, open wireless network environment. The Wi-Fi Alliance states that wireless client will essentially have a unique encryption configuration that only the wireless access point (AP) can understand, reducing the chances of a man-in-the-middle (MitM) attack [2].

Additional New Features

In addition to enhanced security, the Wi-Fi Alliance has also released additional features to improve the experience of users connecting and communicating within WPA3 network environments.

Wi-Fi EasyConnect

The Wi-Fi Alliance has introduced a feature called Wi-Fi Certified EasyConnect [3], which essentially allows new devices to connect to the wireless network with minimal user interaction. For example, you can join a WPA3 network by scanning a QR code. In some non-WPA3 networks in the past, some organizations and individuals have developed ways to place a QR code in a central location (e.g. coffee shop), allowing users to scan the code and be joined to the wireless environment. This may be similar to what the Wi-Fi Alliance is looking to accomplish in this feature.

Why WPA3?

In older encryption algorithms, including WEP, WPA, and WPA2, there are a number of associated security weaknesses. Some of these weaknesses could allow for an attacker to gain unauthorized access to the environment, which will eventually lead to access of sensitive/confidential data. This could affect both businesses and personal wireless network environments.

For example, with WEP, attackers can easily compromise these wireless network environments by replaying ARP packets. WPA and WPA2 environments are vulnerable in that an attacker could perform passive sniffing of wireless traffic and capture the wireless handshake. This could ultimately lead to the attacker performing password-based attacks to attempt revealing the clear-text PSK used in the handshake.

Additionally, even using WPA2 Enterprise, some organizations’ wireless network environments are/were still being compromised due to weaknesses in their implementation. For example, users not implementing strong credentials, wireless clients and APs not verifying the identity of each other (allowing for MitM attacks), SSL certificates not implemented, etc. Overall, there have been a number of successful demonstrations of compromises within wireless network environments utilizing pretty much majority of the features that are supported, from WEP all the way to WPA2 Enterprise.

What Can Organizations Do to Prepare?

With the recent introduction of WPA3, security researchers and attackers are going to be anxiously attempting to discover new security weaknesses. Despite the security enhancements introduced in WPA3, organizations should not lower their guards and forget about the importance of protecting their environment after access is established. Organizations should continue to enforce strong, complex, and lengthy passwords for end-user systems. Other compensating controls, such as network segmentation, end-user security, etc. should still exist and be configured correctly in preparation for an attacker.

It should also be noted that the implementation of WPA3 does not automatically mean that all previous attacks are no longer possible. For example, Evil Twin attacks are still possible where an attacker impersonates a rogue AP to trick legitimate clients to connecting to it. Additionally, attackers may still be able to target the wireless environment from ranges beyond that of the proximity of the facility. While there are certainly some improvements to help protect against attackers, the same precautions should still be taken.

Vonahi Security recommends assessing your wireless network environment on a periodic basis to ensure configurations adhere to industry best practices and security controls are implemented post-access. In addition to just assessing the wireless infrastructure and its attack surface, it is also recommended to perform simulated attacks to evaluate the risks presented after an attacker successfully gains access to your wireless environment.