On Tuesday, the Wi-Fi Alliance rolled out its latest Wi-Fi Protected Access (WPA) protocol, first announced in January, to mitigate risks of open Wi-Fi networks. WPA3 will replace WPA2, which was introduced in 2004 and became mandatory for all devices with the alliance's certification two years later.
The Wi-Fi Alliance has hundreds of member companies and works on the interoperability, connectivity and security of Wi-Fi around the world. WPA protocols are an industrywide safety standard put into connected devices, and with billions of IoT devices added every year and heightened security threats, the protocols are more important than ever.
The WPA3 protocol offers security updates for personal and enterprise networks, and, for many experts, is a big step toward improving network security. Adoption will take place through software and hardware changes, with the latter extending the transition period for organizations balancing costs.
Why does it matter?
With more than half of all internet traffic taking place on Wi-Fi networks, "Wi-Fi is the default way of connecting," said Kevin Robinson, VP of marketing for the Wi-Fi Alliance, in an interview with CIO Dive. Security for network managers is therefore paramount.
In October, vendors were left scrambling after the discovery of a vulnerability in WPA2 that allowed attackers to run reinstallation attacks and steal sensitive data. While patches were issued following the discovery, the WPA3 protocol will address the KRACK vulnerability, in addition to more protections.
WPA3 offers security solutions for personal and enterprise networks — but since businesses can use both types of networks at the same time, dual layers of protection are important for CIOs. The personal offering provides protections against network intrusion by actors attempting to guess passwords or take advantage of weak passwords, according to the announcement. It also protects traffic if a password is compromised.
For things like mobile devices, the switch to WPA3 essentially falls to a software patch or upgrade, but for devices with embedded Wi-Fi or wireless access points, new hardware will be required.
CTO of cyber services, Raytheon
The enterprise offering improves network resiliency and establishes consistency in security protocol application. Protective management frames will offer additional resilience for mission critical networks.
A 192-bit cryptographic strength is unique to the enterprise offering, and when enterprises enable that feature, it means a cutoff of other devices from the network that can't support an equivalent level of cryptographic strength, according to Robinson. This affords extra protection for security sensitive areas, such as government and finance.
Both the personal and enterprise update will ensure networks have the latest security and disallow legacy protocol, simplifying what administrators need to keep track of on networks, Robinson said.
The alliance also rolled out an easy connect feature to simplify adding devices to a network — a process that is challenging to do securely and seamlessly for many organizations, according to Robinson. Devices that are constrained or without a strong user interface, such as a camera, keypad or sensor, can be added to a network with just the scan of a QR code.
This process leverages public key cryptography to provide authentication and security while onboarding, according to Robinson. The tool makes usability and security much easier for organizations using the IoT, according to Mark Orlando, CTO for cyber services at Raytheon, in an interview with CIO Dive.
Security isn't just an update
Moving to WPA3 won't be an overnight process. WPA2 took several years for widespread adoption, and WPA3 devices are still months away. In the meantime, the Wi-Fi alliance will continue to update and maintain WPA2, according to Robinson.
WPA2 was in place for around 14 years — a long time considering the convoluted nature of the security landscape. The longevity of a new protocol will depend on its ease of use and widespread adoption, as well as how manufacturers implement the changes, according to Jessica Saavedra-Morales, research analyst for McAfee's Advanced Threat Research, in a statement provided to CIO Dive.
Long-term interoperability across devices is a key tenant of the WPA protocols, and even if individuals add an old device to a network, it should still work. As the transition to WPA3 is made, WPA2 devices will be able to connect to networks, and no devices will be downgraded, said Robinson.
Both the personal and enterprise WPA3 update will ensure networks have the latest security and disallow legacy protocol, simplifying what administrators need to keep track of on networks.
VP of marketing, Wi-Fi Alliance
Vendors have to submit products to the alliance for certification, so WPA3 devices won't hit the market for several months, according to Orlando. Businesses will have to be deliberate about their transition, and ones without strong governance of networks will have a greater challenge ahead.
For things like mobile devices, the switch to WPA3 essentially falls to a software patch or upgrade, but for devices with embedded Wi-Fi or wireless access points, new hardware will be required, Orlando said. Sunsetting old hardware can be time consuming and costly, and even though WPA3 updates are important, most businesses don't have the budget flexibility to replace all hardware at the drop of a hat.
It's not enough for companies to just make the software switch for WPA3. Too many breaches and attacks are the result of a bad actor finding a piece of outdated software or operating systems still on a company's network and exploiting it, according to Orlando. If businesses move to WPA3 without awareness of what is on their network, so that legacy pieces can be isolated and monitored, security measures like WPA3 are offset.
While the Wi-Fi Alliance will try to keep up with security threats with updates to WPA3, no tool provides ultimate and infinite protection, and businesses need to stay on top of patches, said Robinson.