Wireless technology also knows as WiFi has become so integrated into our personal and professional lives, that we can’t imagine life without it. Businesses rely heavily on it to conduct their operations, mobile network providers use it to transfer voice and data over great distances, and it provides the average user with Internet access at all times in public spaces. Naturally, WiFi’s broad accessibility also makes it an attractive target for cybercriminals or mischief makers.
After more than a decade of using the same WiFi security standards (WPA2), more than 500,000 routers around the world were breached this year by hackers using malware dubbed “VPNFilter” that originated from Russia. The malware is capable of stealing credentials, damaging devices and redirecting traffic while downgrading security protection.
Safer WiFi for everyone
Where there is connection, there is vulnerability. And core to WiFi’s vulnerability is that connected devices share implicit trust. This means that connected devices automatically transmit their data to each other immediately upon recognition without first running any malware detection tests.
Inadequate WiFi protection poses rather a dangerous threat, especially with the rise of Internet of Things (IoT) devices and ever-connected, ever-consuming users (and devices) demanding WiFi everywhere. The amount of information exchanged is staggering and will continue as more businesses are moving to wireless environments and governments leverage the promise of WiFi as a key enabler for smarter cities and connected citizens. Sub-Saharan Africa may not be at the point of large-scale IoT adoption, yet, but with increasing network footprints, it’s only a matter of time.
The Wi-Fi Alliance, a group of companies certifying devices capable of data transmission over WiFi, recently updated the commonly implemented security protocol for WiFi-enabled devices with the introduction of WPA3. This new suite of protocols and technologies provides the latest in authentication and encryption for WiFi network protection.
WPA3 is now available for release in products and includes access to IoT solutions that traverse WiFi networks. There are two deployment models including personal and enterprise, which come along with a related security set called Easy Connect.
WPA3-Enterprise offers extra protection for networks transmitting sensitive data, such as those used by governments and financial institutions, by ensuring a consistent combination of cryptographic tools are used to secure the network.
WPA3-Personal has password-based authentication that’s more resilient than WPA2 – even when users choose passwords that don’t meet common complexity recommendations.
While WPA3 Personal and Enterprise will see primary deployment for devices such as laptops, tablets, and smartphones, IoT devices get their own new security with Easy Connect. The new WiFi Easy Connect protocol is explicitly designed to support WPA3 networks with the new breed of IoT devices in mind – that is devices that have limited or no user interface display at all.
WPA3 also promises to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. Although the standard does not appear to protect against a rogue access point, it should prevent passive nearby attackers from being able to monitor communication in the air. Rogue access points pop up on your device’s network menu with labels that look like what you’d expect to see when trying to gain access to a system in a public or semi-public space, but are in fact simple, cheap devices that are improperly installed on the network.
WPA3 supports password-free encryption between stations and access points but does not seem to provide a way for devices to discern between legitimate and rogue access points and is a risk unless the right kind of protocols are properly established to identify rogue access points.
The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your WiFi stream, brings it back to a private computer, and by utilising software, the attacker guesses passwords over and over again until they find a match – a brute force attack. With WPA3, attackers should only be able to make a single guess against that offline data before it becomes useless; instead, they’ll have to interact with the live WiFi device every time they want to make a guess.
Mass adoption will take time
While the Wi-Fi Alliance currently does not mandate a WPA3 certification for all new devices, its adoption is expected to accelerate by late 2019, and WPA3 could soon become a prerequisite for WiFi certification. While it will take a while for WPA3 to fully roll out, the important thing is that the transition process is beginning. This means safer, more secure WiFi networks in the future.
By Emmanuelle Salon, Executive Head of WiFi Business Unit at Internet Solutions