Wi-Fi Alliance, a non-profit organization that decides Wi-Fi standards, has announced the release of WPA3 with several security improvements over WPA2 after the KRACK exploit last year affected almost every Wi-Fi supported device. The organization, which comprises of tech stakeholders including Apple, Samsung, Qualcomm, Microsoft, Cisco and Intel, made the announcement at the CES 2018 on Monday.
For those unaware, KRACK (short for Key Reinstallation AttaCK) exploited vulnerabilities in the four-way handshake of WPA2 (Wi-Fi Protected Access II) that happens when a client wants to join a protected Wi-Fi network.
This will be the first upgrade to the Wi-Fi Protected Access (WPA) protocol since 2006. “Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions”, said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
He added: “The Wi-Fi CERTIFIED designation means Wi-Fi devices [will] meet the highest standards for interoperability and security protections.”
Traffic streams between the access point and end-user devices will now be encrypted independently, improving privacy and security. However, for now, WPA2 will remain the standard in Wi-Fi devices.
“New testing enhancements will…reduce the potential for vulnerabilities due to network misconfiguration, and further safeguard managed networks with centralized authentication services,” the organization said.
The WPA3 (Wi-Fi Protected Access 3) protocol will protect against brute-force dictionary attacks by blocking the Wi-Fi authentication process after several failed login attempts. It will prevent hackers from trying to guess every possible combination of a password.
WPA3 will also protect networks with higher security requirements – like government, military and industrial – through a 192-bit security suite, ‘aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems’.
WPA3 improvements also include protection for users who choose weak passwords and individualized data encryption on open networks, as it should strengthen privacy and provide almost as much security as a home network.
Another advantage of WPA3 is that it includes “robust protection” and streamlines security configurations for devices which either have very small displays or no displays at all.
Expected to arrive sometime in 2018, WPA3 is considered as a welcome move away from WPA2. Security researcher Mathy Vanhoef who discovered the flaw in WPA2 told ZDNet that the new handshake in WPA3 “will not be vulnerable to dictionary attacks.”