WPA3 Wi-Fi is here and It's Harder to Hack

[zoran]

Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.

The new protocol provides a number of additional protections for devices connected over Wi-Fi. One big improvement makes it harder for hackers to crack your password by guessing it over and over again, and another limits what data hackers can see even once they’ve uncovered the passcode. Nothing will change as far as users see it; you’ll still just type in your password and connect to the network.

 

WPA3 protections won’t just flip on overnight — in fact, it’s going to be a many-years-long process. First, you’ll have to buy a new router that supports WPA3 (or hope that your old one is updated to support it). The same goes for all your gadgets; you’ll have to buy new ones that support WPA3, or hope your old ones are updated. Fortunately, devices that support WPA3 can still connect with devices that use WPA2, so your gadgets shouldn’t suddenly stop working because you brought something new into the house.

 

The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your Wi-Fi stream, brings it back to a private computer, and guesses passwords over and over again until they find a match. With WPA3, attackers are only supposed to be able to make a single guess against that offline data before it becomes useless; they’ll instead have to interact with the live Wi-Fi device every time they want to make a guess. (And that’s harder since they need to be physically present, and devices can be set up to protect against repeat guesses.)

 

WPA3’s other major addition, as highlighted by the Alliance, is forward secrecy. This is a privacy feature that prevents older data from being compromised by a later attack. So if an attacker captures an encrypted Wi-Fi transmission, then cracks the password, they still won’t be able to read the older data — they’d only be able to see new information currently flowing over the network.

 

These changes apply to home and personal uses of Wi-Fi. Wi-Fi as it’s used in an enterprise setup, like at a large office where every user is provided a different password, is getting updates too; but it’ll have a different set of protections.

 

The Wi-Fi Alliance expects WPA3 rollout to ramp up over the next year. For now, it won’t be mandatory in new products. But the next generation of Wi-Fi itself — 802.11ax — is also starting to come out and is expected to hit mass adoption in late 2019; as those devices become available, the Alliance expects the pace of WPA3 adoption to pick up. The Alliance says that, as adoption grows, WPA3 will eventually become a requirement for a device to be considered Wi-Fi certified.

Even though WPA2 is more than a decade old, it hasn’t sat untouched since then. The protocol is still maintained and updated to address new exploits and new protections; the Alliance says WPA3 will be the same way.

 

In addition to the start of WPA3 certification, the Alliance is also announcing a new, optional Wi-Fi feature called Easy Connect. Easy Connect is meant to simplify the process of connecting smart home gadgets to your router, which can be tricky when they don’t have screens or buttons on them. If the device (and the router it’s connecting to) supports Easy Connect, you’ll be able to scan a QR code with your phone to have the Wi-Fi credentials automatically sent to the new device. While this sounds like a great feature, it’s hard to guess how widely this will roll out, since it requires support from a lot of parties before it would really become useful.

 

Adoption news is brighter on the WPA3 side of things. Many companies have already announced their support, including Qualcomm, which has already starting making a chip for phones and tablets that supports 802.11ax and WPA3.

 

source:

[Archanus]

Oh so great  I hope companies can implement that on our actual modems  

[jabrwky]

This is a challenge for (ah-hem... cough!) coders community.

[debebee]

You’ll have to buy a new router that supports WPA3

(or hope that your old one is updated to support it )

[DKT27]

I thought this was required to be done at the hardware level in the router. Some are suggesting that software level upgrade can enable it too, but will require more CPU power of the router there.

[debebee]

You are correct to say that it is a hardware thing:

Quote

"Manufacturers must fully implement these four features to market their devices as Wi-Fi CERTIFIED WPA3"

 

...

Even when you get a WPA3-enabled router, you’ll need WPA3-compatible client devices—your laptop, phone, and anything else that connects to Wi-Fi—to fully take advantage of these new features. The good news is that the same router can accept both WPA2 and WPA3 connections at the same time. Even when WPA3 is widespread, expect a long transition period where some devices are connecting to your router with WPA2 and others are connecting with WPA3.

 

Once all your devices support WPA3, you could disable WPA2 connectivity on your router to improve security, the same way you might disable WPA and WEP connectivity and only allow WPA2 connections on your router today.

 

While it will take a while for WPA3 to fully roll out, the important thing is that the transition process is beginning in 2018. This means safer, more secure Wi-Fi networks in the future.

 

https://www.howtogeek.com/339765/what-is-wpa3-and-when-will-i-get-it-on-my-wi-fi/

 

Kinda like USB-C adoption.. slow but we'll all get there someday.

[Archanus]

1 hour ago, DKT27 said:

I thought this was required to be done at the hardware level in the router. Some are suggesting that software level upgrade can enable it too, but will require more CPU power of the router there.

 

Let's see how TP-Link manage that !! I really hope my router would be upgraded !! 

[debebee]

TP LINK Support Official Response
Thank you very much for requesting information about our product.

For this issue, I've consulted our senior engineer. The WPA3 is a new tech, at present we do not provide firmware to support it. Because we need to test it first. In the future, we will take it into account if the marketing is great. At present, none of our device can support it. Thanks for your suggestion.

Have a nice day！

[debebee]

It won't matter anyway since it will only be on the next major IOS or Android-OS P or even Q and Windows 10 in a year or 2 

 

Also Handsets that have stopped OS updates will surely not get it.... That means NON CURRENT FLAGSHIPS and those who already have outlived their 2 years of OS updates..

 

[Archanus]

@dufus my friend, what do you think about this??  I want to have that tech too, maybe modem companies make miracles and implement firmware for our dear devices jajaja  

[DKT27]

2 hours ago, teodz1984 said:

You are correct to say that it is a hardware thing:

 

https://www.howtogeek.com/339765/what-is-wpa3-and-when-will-i-get-it-on-my-wi-fi/

 

Kinda like USB-C adoption.. slow but we'll all get there someday.

 

I did read somewhere that the software update will do it for some routers there.

 

Even the article you quoted mentions something like that:

 

Quote

Device manufacturers could theoretically create software updates that add these features to existing routers and other Wi-Fi devices, but they’d have to go through the trouble of applying for and receiving WPA3 certification for their existing hardware before rolling out the update.

 

Expect third party router software to add this.

[Archanus]

6 minutes ago, DKT27 said:

 

I did read somewhere that the software update will do it for some routers there.

 

Even the article you quoted mentions something like that:

 

Expect third party router software to add this.

 

Exactly bro  You're the best !!  

[dufus]

29 minutes ago, Archanus said:

I want to have that tech too, maybe modem companies make miracles and implement firmware for our dear devices jajaja  

https://routersecurity.org/firmware.selfupdating.php

this stuff give me headache

[Archanus]

53 minutes ago, dufus said:

https://routersecurity.org/firmware.selfupdating.php

 this stuff give me headache

 

Oh you too??? That gave me a lot of headache in the past jajajaa  

[debebee]

1 hour ago, DKT27 said:

Expect third party router software to add this.

 

SAugsburger

 

25 points·5 months ago

I didn't see any official documentation either. My gut instinct is that actual paid members have access to the draft documents, but at this point they are probably months from any type of draft spec yet. Unless you are a vendor designing new wireless equipment it probably is of limited interest.

This is largely to build up hype like any major announcement at CES. I remember almost a decade ago when the SD Association announced the SD-XC standard at CES. It was to hype up how this new standard would scale up to 2TB and they had mock SD-XC cards.

 

Intrepid00

1 point·5 months ago

The official first draft is by end of 2018

The official first draft is by end of 2018

bfodder

2 points·5 months ago

So we can expect to be using this sometime in the 20's.

 

17 points·5 months ago

I think it will depend a bit upon how much of an uptick in the extra processing power needed to implement it. If the encryption/decryption is being done in ASICs as opposed to an FPGA then there may be no means of doing a firmware upgrade to support WPA3. Even if everything is done in an FPGA the overhead may be too high.

While I imagine some of the cheaper consumer grade stuff where the margins are thin and they aren't getting any additional revenue from support contracts after initial purchase won't provide upgrades even if they are possible I would imagine that is some hardware where upgrading the firmware to support WPA3 won't be a possibility. Some hardware is designed with no thoughts towards future standards, but it is kinda hard to pitch beefier hardware for some theoretical future standard to customers for a much higher price point where there is no benefit today. Too many average consumers see hardware as disposable.

 

 

Share

---

Well, there's always (sometimes) custom firmware.

IDidntChooseUsername

3 points·5 months ago

Depending on how they do the en/decryption, it might not even be possible with custom firmware. If it's done using an ASIC, then there's no changing the algorithm without changing the hardware.

 

HugsyMalone

2 points·5 months ago

Open source firmware (DD-WRT, OpenWRT, LEDE, Gargoyle, Tomato, etc) saves the day if your router supports it!

But, yeah, the OEM firmware likely wouldn't be updated if you have an older router. They tend to be quickly abandoned in favor of reducing maintenance overhead and selling new hardware nowadays.

 

https://www.reddit.com/r/sysadmin/comments/7p1bem/the_wifi_alliance_announces_wpa3_will_focus_on/

[debebee]

The title 'WPA3 Wi-Fi is here' is misleading.... since it was presented as a concept in Jan 2018... There are no IEEE implemetation guidelines yet..  Yet to see an official  whitepaper on WPA3 for Wi-Fi Alliance ..

But here are some new facts from  https://www.theverge.com/circuitbreaker/2018/6/26/17501594/wpa3-wifi-security-certification

 

Wi-Fi security is starting to get its biggest upgrade in over a decade

WPA3 certification starts today

Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.

The new protocol provides a number of additional protections for devices connected over Wi-Fi. One big improvement makes it harder for hackers to crack your password by guessing it over and over again, and another limits what data hackers can see even once they’ve uncovered the passcode. Nothing will change as far as users see it; you’ll still just type in your password and connect to the network.

WPA3 ADDS FORWARD SECRECY AND PREVENTS OFFLINE ATTACKS

WPA3 protections won’t just flip on overnight — in fact, it’s going to be a many-years-long process. First, you’ll have to buy a new router that supports WPA3 (or hope that your old one is updated to support it). The same goes for all your gadgets; you’ll have to buy new ones that support WPA3, or hope your old ones are updated. Fortunately, devices that support WPA3 can still connect with devices that use WPA2, so your gadgets shouldn’t suddenly stop working because you brought something new into the house.

The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your Wi-Fi stream, brings it back to a private computer, and guesses passwords over and over again until they find a match. With WPA3, attackers are only supposed to be able to make a single guess against that offline data before it becomes useless; they’ll instead have to interact with the live Wi-Fi device every time they want to make a guess. (And that’s harder since they need to be physically present, and devices can be set up to protect against repeat guesses.)

WPA3’s other major addition, as highlighted by the Alliance, is forward secrecy. This is a privacy feature that prevents older data from being compromised by a later attack. So if an attacker captures an encrypted Wi-Fi transmission, then cracks the password, they still won’t be able to read the older data — they’d only be able to see new information currently flowing over the network.

These changes apply to home and personal uses of Wi-Fi. Wi-Fi as it’s used in an enterprise setup, like at a large office where every user is provided a different password, is getting updates too; but it’ll have a different set of protections.

YOU’LL START TO SEE WPA3 A LOT MORE IN 2020

The Wi-Fi Alliance expects WPA3 rollout to ramp up over the next year. For now, it won’t be mandatory in new products. But the next generation of Wi-Fi itself — 802.11ax — is also starting to come out and is expected to hit mass adoption in late 2019; as those devices become available, the Alliance expects the pace of WPA3 adoption to pick up. The Alliance says that, as adoption grows, WPA3 will eventually become a requirement for a device to be considered Wi-Fi certified.

Even though WPA2 is more than a decade old, it hasn’t sat untouched since then. The protocol is still maintained and updated to address new exploits and new protections; the Alliance says WPA3 will be the same way.

In addition to the start of WPA3 certification, the Alliance is also announcing a new, optional Wi-Fi feature called Easy Connect. Easy Connect is meant to simplify the process of connecting smart home gadgets to your router, which can be tricky when they don’t have screens or buttons on them. If the device (and the router it’s connecting to) supports Easy Connect, you’ll be able to scan a QR code with your phone to have the Wi-Fi credentials automatically sent to the new device. While this sounds like a great feature, it’s hard to guess how widely this will roll out, since it requires support from a lot of parties before it would really become useful.

Adoption news is brighter on the WPA3 side of things. Many companies have already announced their support, including Qualcomm, which has already starting making a chip for phones and tablets that supports 802.11ax and WPA3.

BOTTOM LINE:  SO WPA3 will only be implemented on FUTURE ROUTERS 802.11ax

 

[debebee]

What is 802.11ax Wi-Fi, and what will it mean for 802.11ac

https://www.networkworld.com/article/3258807/lan-wan/what-is-802-11ax-wi-fi-and-what-will-it-mean-for-802-11ac.html

 

Each new Wi-Fi standard has brought significant improvements in performance, with the most recent, 802.11ac, offering an impressive theoretical maximum rate of 1.3Gbps.  Unfortunately, these gains have not been enough to keep pace with demand, leading to that exasperated cry heard across airports, malls, hotels, stadiums, homes and offices: “Why is the wireless so slow?”

The IEEE is taking another crack at boosting Wi-Fi performance with a new standard called 802.11ax or High-Efficiency Wireless, which promises a fourfold increase in average throughput per user.

 

802.11ax is designed specifically for high-density public environments, like trains, stadiums and airports. But it also will be beneficial in Internet of Things (IoT) deployments, in heavy-usage homes, in apartment buildings and in offices that use bandwidth-hogging applications like videoconferencing.

 

802.11ax is also designed for cellular data offloading. In this scenario, the cellular network offloads wireless traffic to a complementary Wi-Fi network in cases where local cell reception is poor or in situations where the cell network is being taxed.

Excitement surrounding the new standard is high. Even though the 802.11ax is not expected to be finalized until early 2019, the vendor community is chomping at the bit. Pre-standard chipsets have been shipping since last year and the first 802.11ax routers are currently hitting the market.  In a typical Wi-Fi deployment scenario, early adopters are comfortable using pre-standard products, which readily win certification from the Wi-Fi Alliance after they fully comply with the standard with a firmware upgrade.

What problem is 802.11ax trying to solve?

The fundamental problems with Wi-Fi are that bandwidth is shared among endpoint devices, access points can have overlapping coverage areas, especially in dense deployments, and end users can be moving between access points.

 

The current solution, based on a technology from the old shared Ethernet days called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), requires endpoints to listen for an all-clear signal before transmitting. In the event of interference, congestion or collision, the endpoint goes into a back-off procedure, waits for the all-clear, then transmits.

In a crowded stadium, a busy airport or a packed train with hundreds, even thousands, of end users attempting to stream video at the same time, the system loses efficiency and performance suffers.

The good news is that 802.11ax promises improved performance, extended coverage and longer battery life.  802.11ax can deliver a single stream at 3.5Gbps, and with new multiplexing technology borrowed from the world of LTE cellular, can deliver four simultaneous streams to a single endpoint for a total theoretical bandwidth of an astounding 14Gbps.

How does 802.11ax work?

The 802.11ax standard takes a variety of well-understood wireless techniques and combines them in a way that achieves a significant advance over previous standards, yet maintains backward compatibility with 802.11ac and 802.11n.

802.11ax delivers a nearly 40 percent increase in pure throughput thanks to higher order QAM modulation, which allows for more data to be transmitted per packet. It also achieves more efficient spectrum utilization.  For example, 802.11ax creates broader channels and splits those channels into narrower sub-channels. This increases the total number of available channels, making it easier for endpoints to find a clear path to the access point.

When it comes to downloads from the access point to the end user, early Wi-Fi standards only permitted one transmission at a time per access point. The Wave 2 version of 802.11ac began using Multi-User, Multi-Input, Multiple Output (MU-MIMO), which allowed access points to send up to four streams simultaneously. 802.11ax allows for eight simultaneous streams and makes use of explicit beamforming technology to aim those streams more accurately at the receiver’s antenna.

Even more importantly, 802.11ax piggybacks on MU-MIMO with an LTE cellular base station technology called Orthogonal Frequency Division Multiple Access (OFDMA). This allows each MU-MIMO stream to be split in four additional streams, boosting the effective bandwidth per user by four times.

The way Network World columnist Zeus Kerrevala explains 802.11ax, early Wi-Fi was like a long line of customers in a bank waiting for one teller. MU-MIMO meant four tellers serving four lines of customers. OFDMA means each teller can simultaneously serve four customers.

 

How is 802.11ax different from 802.11ac?

802.11ac operates in the 5Ghz range only, while 802.11ax operates in both the 2.4Ghz and 5Ghz ranges, thus creating more available channels. For example, early chipsets support a total of 12 channels, eight in the 5Ghz and four in the 2.4Ghz range.

With 802.11ac, MU-MIMO is limited to downlink transmissions only. 802.11ax creates full-duplex MU-MIMO so that with downlink MU-MIMO an access point may transmit concurrently to multiple receivers and with uplink MU-MIMO an endpoint may simultaneously receive from multiple transmitters.  

802.11ax supports up to eight MU-MIMO transmissions at a time, up from four with 802.11ac. OFDMA is new with 802.11ax, as are several other technologies, like trigger-based random access, dynamic fragmentation and spatial frequency re-use, all aimed at improving efficiency.

Finally, 802.11ax introduces a technology called “target wake time” to improve wake and sleep efficiency on smartphones and other mobile devices. This technology is expected to make a significant improvement in battery life.

When will we see 802.11ax products and adoption?

Quantenna Communications was first out of the gate, announcing the first 802.11ax silicon in October 2016.  The chipset supports eight 5GHz streams and four 2.4 GHz streams. In January 2017, Quantenna added a second chipset to its portfolio with support for four streams in both bands.

Other Wi-Fi chipset vendors have followed suit. Qualcomm announced their first 802.11ax silicon in early 2017, followed by Broadcom and Marvell.

The first 802.11ax router was introduced by Asus last August. Using Broadcom silicon, the Asus router has 4×4 MIMO in both bands and achieves a maximum throughput of 1.1Gbps on 2.4 GHz and 4.8 Gbps on 5 GHz.

Huawei has announced an 802.11ax access point that uses 8×8 MIMO and is based on Qualcomm hardware. And in January, Aerohive Networks announced its first family of 802.11ax access points based on Broadcom chipsets. These are expected to start shipping mid-2018.

The IEEE approved 802.11n in 2007 and 802.11ac in 2013, so they’re sticking with the six-year interval when it comes to 802.11ax. A draft 802.11ax standard is expected to be published in the first quarter of 2018, with the final standard wrapping up in Q1 2019.

Interim Wi-Fi certification of 802.11ax gear by the Wi-Fi Alliance will begin in the fourth quarter of this year, with volume production of 802.11ax products expected to ramp up next year.

In terms of mass adoption, we’re probably talking 2020, but forward-thinking IT execs, especially those running high-density Wi-Fi networks, should launch 802.11ax pilot projects this year.