![](\"https:\/\/media.wired.com\/photos\/5b318d264263671c40ab7949\/master\/pass\/WIFI-SAFE-FINAL.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Tue, 26 Jun 2018 04:00:00 +0000<\/strong><\/p>\n There are more Wi-Fi devices<\/a> in active use around the world\u2014roughly 9 billion\u2014than there are human beings. That ubiquity makes protecting Wi-Fi from hackers<\/a> one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.<\/p>\n The Wi-Fi Alliance, a trade group that oversees WPA3, is releasing full details today, after announcing the broad outlines in January. Still, it'll be some time you can fully enjoy its benefits; the Wi-Fi Alliance doesn\u2019t expect broad implementation until late 2019 at the earliest. In the course that WPA3 charts for Wi-Fi, though, security experts see critical, long-overdue improvements to a technology you use more than almost any other.<\/p>\n \u201cIf you ask virtually any security person, they\u2019ll say don\u2019t use Wi-Fi, or if you do, immediately throw a VPN connection<\/a> on top of it,\u201d says Bob Rudis, chief data officer at security firm Rapid 7. \u201cNow, Wi-Fi becomes something where we can say hey, if the place you\u2019re going to uses WPA3 and your device uses WPA3, you can pretty much use Wi-Fi in that location.\u201d<\/p>\n Start with how WPA3 will protect you at home. Specifically, it\u2019ll mitigate the damage that might stem from your lazy passwords<\/a>.<\/p>\n A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary\u2014and beyond\u2014in relatively short order.<\/p>\n 'They\u2019re not trying to hide the details of the system.'<\/p>\n Joshua Wright, Counter Hack<\/p>\n \u201cLet\u2019s say that I\u2019m trying to communicate with somebody, and you want to be able to eavesdrop on what we\u2019re saying. In an offline attack, you can either passively stand there and capture an exchange, or maybe interact with me once. And then you can leave, you can go somewhere else, you can spin up a bunch of cloud computing services and you can try a brute-force dictionary attack without ever interacting with me again, until you figure out my password,\u201d says Kevin Robinson, a Wi-Fi Alliance executive.<\/p>\n This kind of attack does have limitations. \u201cIf you pick a password that\u2019s 16 characters or 30 characters in length, there\u2019s just no way, we\u2019re just not going to crack it,\u201d says Joshua Wright, a senior technical analyst with information security company Counter Hack. Chances are, though, you didn\u2019t pick that kind of password. \u201cThe problem is really consumers who don\u2019t know better, where their home password is their first initial and the name of their favorite car.\u201d<\/p>\n If that sounds familiar, please change your password immediately. In the meantime, WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it\u2019s what was behind the notorious KRACK vulnerability<\/a> that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure\u2014and widely vetted\u2014Simultaneous Authentication of Equals handshake.<\/p>\n There are plenty of technical differences, but the upshot for you is twofold. First, those dictionary attacks? They\u2019re essentially done. \u201cIn this new scenario, every single time that you want to take a guess at the password, to try to get into the conversation, you have to interact with me,\u201d says Robinson. \u201cYou get one guess each time.\u201d Which means that even if you use your pet\u2019s name as your Wi-Fi password, hackers will be much less likely to take the time to crack it.<\/p>\n The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.<\/p>\n When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today\u2014Wi-Fi Protected Setup\u2014has had known vulnerabilities since 2011<\/a>. WPA3 provides a fix.<\/p>\n Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you\u2019ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you're set\u2014they're securely connected. With the QR code method, you\u2019re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.<\/p>\n \u201cRight now it\u2019s really hard to deploy IoT things fairly securely. The reality is they have no screen, they have no display,\u201d says Rudis. Wi-Fi Easy Connect obviates that issue. \u201cWith WPA3, it's automatically connecting to a secure, closed network. And it\u2019s going to have the ability to lock in those credentials so that it\u2019s a lot easier to get a lot more IoT devices rolled out in a secure manner.\u201d<\/p>\n Here again, Wi-Fi Easy Connect\u2019s neatest trick is in its ease of use. It\u2019s not just safe; it\u2019s impossible to screw up.<\/p>\n 'Right now it\u2019s really hard to deploy IoT things fairly securely.'<\/p>\n Bob Rudis, Rapid 7<\/p>\n That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You've probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That's because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop\u2019s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.<\/p>\n \u201cBy default, WPA3 is going to be fully encrypted from the minute that you begin to do anything with regards to getting on the wireless network,\u201d according to Rudis. \u201cThat\u2019s fundamentally huge.\u201d<\/p>\n As with the password protections, WPA3's expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too<\/em> secure.<\/p>\n \u201cThe heart is in the right place, but it doesn\u2019t stop the attack,\u201d says Wright. \u201cIt\u2019s a partial solution. My concern is that consumers think they have this automatic encryption mechanism because of WPA3, but it\u2019s not guaranteed. An attacker can impersonate the access point, and then turn that feature off.\u201d<\/p>\n Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3\u2019s many upgrades, the entire ecosystem needs to embrace it.<\/p>\n That\u2019ll happen in time, just as it did with WPA2. And the Wi-Fi Alliance\u2019s Robinson says that backward interoperability with WPA2 will ensure that some added security benefits will be available as soon as the devices themselves are. \u201cEven at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect,\u201d Robinson says.<\/p>\n Lurking inside that assurance, though, is the reality that WPA3 will come at a literal cost. \u201cThe gotcha is that everyone\u2019s got to buy a new everything,\u201d says Rudis. \u201cBut at least it\u2019s setting the framework for a much more secure setup than what we\u2019ve got now.\u201d<\/p>\n Just as importantly, that framework mostly relies on solutions that security researchers already have had a chance to poke and prod for holes. That hasn't always been the case<\/a>.<\/p>\n \u201cFive years ago the Wi-Fi Alliance was creating its own protocols in secrecy, not disclosing the details, and then it turns out some of them have problems,\u201d says Wright. \u201cNow, they\u2019re more adopting known and tested and vetted protocols that we have a lot more confidence in, and they\u2019re not trying to hide the details of the system.\u201d<\/p>\n Which makes sense. When you\u2019re securing one of the most widely used technologies on Earth, you don\u2019t want to leave anything to chance.<\/p>\n