The Wi-Fi Alliance (WFA) — the body responsible for creating the encryption standard used by billions of wireless Wi-Fi products worldwide — announced in January 2018 some significant improvements to its security protocol Wi-Fi Protected Access II (WPA2).

In a much-anticipated move, the Wi-Fi Alliance also announced WPA3. The new protocol is designed to work alongside WPA2 while adoption ramps-up.

The original WPA2 protocol is now more than a decade old and suffers from some security issues, most notably the Key Reinstallation Attack (KRACK), discovered in October 2017 by Mathy Vanhoef. This vulnerability works against any wireless network secured with WPA2 and gives the attacker the ability to steal network data.

The KRACK attack works by exploiting the 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic when clients join a network.

Improvement to WPA2

The WFA is directly targeting man-in-the-middle attacks like KRACK with Enhancements to Protected Management Frames (PMF) in WPA2. The feature protects users by checking the integrity of control packets sent between the router and client by utilising a shared key.

In addition, the WFA is implementing new rules for businesses regarding the checks they must perform on their Wi-Fi CERTIFIED devices. The tests are designed to ensure that mission-critical networks are as secure as possible by minimising risk from misconfigured devices.

There is also an upgrade to the 128-bit encryption used by WPA2 that aims to provide better security by standardising its configuration.

Announcing WPA3

WPA3 — due to launch later in 2018 — comprises four new abilities that are designed to provide better security against threats for the foreseeable future.

Firstly, new rules will force providers to ensure that users are choosing strong passwords before joining any Wi-Fi CERTIFIED network.

WPA3 will make it easier for a broader range of devices to join a secure network by using NFC or QR code technology. This change is especially useful for devices with limited displays and user input capabilities.

Perhaps the most welcome enhancement in WPA3 is individualised data encryption on open networks. Joining an unsecured wireless network that is protected by WPA3 provides the same level of protection for the user as a secured network, meaning there is no way for an attacker to monitor network traffic.

Finally, WPA3 introduces a new set of encryption protocols using 192-bit security,

WPA3 will launch later this year, with the first devices supporting the new standard anticipated in the third quarter of 2018. Adoption is expected to take some time as old equipment is replaced. However, the WFA plans to maintain development of WPA2 for the foreseeable future to mitigate any potential security risks until manufacturers adopt the new standard.