Wi-Fi remains a key vulnerability for both organizations and individual users in our digitally connected mobile world. Whether it be a hacker conducting man-in-the-middle attacks on a company network from the parking lot, or a criminal capturing open wireless traffic at the coffee shop – unsecured Wi-Fi has weaknesses that cybercriminals can easily exploit.
Despite its vulnerabilities, it seems outlandish that Wi-Fi’s primary mechanism is based on the WPA2 security protocol that was first introduced in 2004. Many WPA2 certified routers still remain backward compatible for WEP, a security protocol introduced in 1999 that is easily cracked with the tools of today. While improvements have been introduced to Wi-Fi security since its inception, it is bewildering that so many obvious weaknesses exist that hackers can exploit to attack connected devices.
The good news is that the Wi-Fi Alliance introduced WPA3 earlier this year. In some ways, WPA3 is a vast improvement over its predecessor as it shores up some of the liabilities that were inherent in WPA2. Like all security protocols, it fails to address all vulnerabilities which is why SMBs and enterprises must continue to utilize a multi-layer security approach. We have listed the Wi-Fi exposures of the current state of Wi-Fi and how WPA3 successfully or ineffectively addresses them.
Vulnerability # 1 – Unencrypted Open Wi-Fi
Many retail establishments such as coffee shops, restaurants, and hotel lobbies continue to utilize 802.11 open Wi-Fi. Despite the obvious weakness of allowing users to send plain text traffic to the local access point, small businesses continue this practice because of one simple fact – it’s easy. Open SSIDs doesn’t require users to type in a pre-shared key when trying to connect which means that shop owners don’t have to worry about the hassle of distributing the key to their customers.
With WPA3, there are no more open networks, period. WPA3 introduces Opportunistic Wireless Encryption (OWE), which may be the best feature of the new standard. OWE allows networks that don’t offer passwords and keys to provide encryption that requires no configuration or interference from the users themselves. It is able to do this through a process called Individualized Data Protection (IDP). With IDP, each device receives its own key from the access point (AP) even if it has never connected. The key cannot be sniffed. IDP is also useful for password protected networks as knowing the passkey doesn’t give access to the encrypted communication of other devices.
Vulnerability #2 – Password Complexity and Cracking
Although WPA2 is far more secure than WEP, it is still vulnerable to password cracking such as the WPA2 KRACK Attack that was discovered last year and requires device updates to eliminate. WPA2 is only as secure as a user’s ability to create a secure password because the 4-way handshake utilized by WPA2 is susceptible to offline dictionary based attacks if a short password is used. Because not everyone is as educated in the art of creating a secure password, the protection offered by WPA2 is only as good as the user’s ability to create a foolproof password.
WPA3 provides robust protection of short and long passwords alike thanks to the Simultaneous Authentication of Equals (SAE) which replaces the Pre-Shared Key (PSK) exchange protocol used by WPAS2. SAE, also known as the Dragonfly Key Exchange, is more secure in the handling of the initial key exchange and is resilient to offline decryption attacks.
Other Vulnerabilities
While OWE and SAE are the two most dramatic improvements of the new wireless standard there are other added securities as well. The Wi-Fi Protected Setup (WPS) feature that made it easy to link new devices, such as a Wi-Fi extender, with a wireless network had its security limitations. These have been addressed now with the newly improved Wi-Fi Device Provisioning Protocol (DPP). In addition, the mix and match nature of WPA2-Enterprise that allowed a multitude of connection settings such as TLS, SHA, EAP, etc. created security gaps. With WPA3 the circumstances in which clients negotiate down the security of an EAP-TLS connection has been eliminated.
What WPA3 doesn’t address
While OWE does provide encryption for SSIDs that do not include a passphrase, it lacks any authentication element. This makes WPA3 just as acceptable to Man-in-the-Middle and Evil Twin attacks as its predecessor. In other words, as long a user connects a device to the proper AP, their data stream is fully protected.
WPA3 only provides protection between the client device and the AP. This means that your WPA3 device is still susceptible to malicious code from known malware deployment sites as well as drive-by websites. So although WPA3 has some definite internal improvements, your Wi-Fi still needs to be protected by a secure DNS web filtering solution.
Controls to prevent malicious actors from undertaking multiple login attempts via commonly used passwords is expected, as well as a more simplified configuration for IoT devices that do not have a display. The new WPA3 protocol will also use 192-bit security or the Commercial National Security Algorithm to improve security for government, defense, and industrial networks.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
A cloud-based DNS filtering system can provide the protection your customers and users need once they are securely connected to your Wi-Fi infrastructure. The main limitation of WPA3 is that few if any clients currently support it, it will be 2019 before the new standard is readily used.
If you want to take control of your Wi-Fi network or are an MSP looking for an easy-to-use multi-tenant solution to allow you to provide a web filtering service to your clients, WebTitan Cloud for Wi-Fi is a quick, easy to use, and low-cost way of providing secure guest Wi-Fi for business users.