How to WPA3 Can Boost Your Organization's Wireless Security

NEWS ANALYSIS: The Wi-Fi Alliance began certifying products for WPA3 this week, which will lead to wireless communications that are easier to set up and are more secure.

WPA3

The Wi-Fi Alliance has begun certifying wireless devices that meet the new WPA3 standard in a move that will make wireless communications more secure and easier to manage, but it’ll be awhile before you can incorporate the new standard into your organization’s network. However, you can buy devices that are able to be upgraded to WPA3, and you can begin planning for the transition.

The transition will be fairly straightforward, although for many installations it’ll mean having to buy new access hardware. At this point, only Cisco has said that current systems will be updated to support WPA3. “Cisco is committed to integrating WPA3 features into our Aironet Access Points and Wireless Controllers via a firmware upgrade so that our existing and new customers can take advantage of the capabilities offered by WPA3,” Greg Dorai, vice president for Cisco WLAN, said in a prepared statement.

A number of other wireless vendors, including Aerohive, Arris, Aruba, Broadcom, Intel and Qualcomm, have said they’re going to start building products that support the WPA3 standard. However, actual products with support for WPA3 won’t start appearing on the market until late 2018, with most appearing in 2019.

Once WPA3 infrastructure products begin appearing, the first steps will be to upgrade your access points, controllers and routers. Your existing WPA2 client devices will continue to work because part of the Wi-Fi Alliance’s standard is backward-compatible. When you reach the point where all of your devices are WPA3-compatible, you can turn off the support for WPA2.

Right now, it’s not clear when you can expect to see client devices that support WPA3. The chip makers are going through the certification process now, but so far the Wi-Fi Alliance hasn’t announced that it’s certified anything and a search for WPA3 devices yields no results. This isn’t surprising considering that certification only began a few days ago. At some point, certified products will emerge and you will be able to start evaluating them.

Getting Ready for WPA3

In the meantime, you can begin getting ready for WPA3 by looking for devices on your network that use older standards, if you still have any. The new WPA3 infrastructure will not support the original WPA nor WEP. Considering that WPA2 has been around for 14 years, you probably won’t find many such devices, but if you do, it’s time for them to go because they’re insecure and can’t be made secure.

Next, contact your wireless infrastructure vendor to determine whether there are plans to upgrade your devices to the new standard. Cisco has already said that its Aironet devices will receive a software update that will take care of it, but it’s not clear from what Cisco has said so far whether all of its Aironet APs and controllers will receive the upgrades, or just the most recent versions.

The next step is to consider your specifications for future hardware purchases. It’s likely that devices with built-in WiFi, such as laptops, tablets and phones, will include support for WPA3 when they’re shipped in 2019. While it’s possible that devices made in 2018 and earlier may be able to be upgraded, I wouldn’t count on it.

WPA3 is intended to have improved support for the internet of things (IoT), but that really means new devices. While WPA3 infrastructure will support IoT devices designed for WPA2, this is an area where you may run into issues, if only because some legacy devices use older standards, which won’t be supported. This could especially affect the healthcare industry, where for reasons that remain unclear, devices seem to have been built without any capability for updates.

On the other hand, some manufacturing equipment is running even older wireless standards that rely on obsolete wireless buses that don’t even meet the original WiFi standards. If you still have such equipment, you already know it’s not secure. Perhaps this is the time to think about upgrading those networks as well.

WPA3 Versions for the Home and Enterprise

It’s worth noting that the Wi-Fi Alliance has divided WPA3 into two types, one for home use and one for the enterprise. The home version of the standard is quite secure and is what you’ll encounter in uses ranging from small offices to airports.

The enterprise version of WPA3 is intended for highly secure applications for the government, financial institutions and the like. Despite the fact that the Wi-Fi Alliance doesn’t say you should use you the enterprise version for most business uses, you should. It has better encryption, and it can handle penetration attempts more effectively.

A couple of important changes are that WPA3 access points are no longer subject to dictionary attacks in which the handshake between devices is recorded and then subjected to a brute-force means of learning the password. With the new system, you have to start over after each failed attempt at a password, which makes an attempt to crack the password take dramatically longer.

In addition, WPA3 uses forward secrecy, which means that even if someone figures out the password to your access point, they can’t go back and use it on previously recorded data.

Another important change is that open networks will still encrypt data, so you won’t have to worry about someone reading your email while you’re at the airport. Unfortunately, that still doesn’t prevent someone from setting up a man-in-the-middle attack or using a bogus access point. Still, it’s a huge improvement of the current situation in which nothing is encrypted on an open network.

Overall, WPA3 is a needed change that’s been a long time coming. Once it’s in place, consider moving to it as rapidly as you can. It will make your network much more secure.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...