The Wi-Fi Alliance, backed by industry giants including Apple, Cisco, Intel and Microsoft, said this year will see the introduction of a new version of the WPA set of security technologies used in all Wi-Fi certified devices.
The launch of WPA3, announced in Las Vegas in conjunction with the CES consumer electronics show, follows last year’s disclosure of an attack called KRACK that affected devices using the protocol’s previous version, WPA2.
But the Wi-Fi certification body said it expects devices to continue using WPA2 “for the forseeable future”, even as the more secure standard begins to appear in new hardware.
While it didn’t disclose technical details, the group said WPA3 will include protections for networks with weak passwords and a feature making it easier for devices without screens, like locks or light bulbs, to be configured by gadgets such as smartphones or tablets.
The standard is also to include individualised encryption for protecting privacy in open networks and a 192-bit security suite aligned with the Committee on National Security Systems’ Commercial National Security Algorithm (CNSA). The suite is aimed at users that require more robust security, such as those in government, the military and industry.
Mathy Vanhoef, the postdoctoral computer security researcher at Belgium’s KU Leuven who discovered the KRACK flaw, speculated the privacy-protecting encryption feature might refer to Opportunistic Wireless Encryption (OWE), a standard that doesn’t require authentication, but he said such protocols are “crutches” that can actually weaken security because users come to rely on them instead of opting for stronger techniques.
He said the protection for weak passwords appears to be a stronger handshake method such as the one known as “Dragonfly”, which is designed to be resistant to dictionary attacks – those in which the attacker repeatedly guesses likely passwords until the right one is found.
“Linux’s open source Wi-Fi client and access point already support the improved handshake,” Vanhoef wrote on Twitter. “It just isn’t used in practice. But hopefully that will change now.”
He noted that WPA3 should formalise the use of stronger security methods that are already in place on many networks.
“The standards behind WPA3 already existed for a while,” Vanhoef wrote. “But now devices are required to support them, otherwise they’re won’t receive the ‘WPA3-certified’ label.”
Do you know all about security? Try our quiz!
Relief for Apple, Samsung etc after smartphone shipments are predicted to recover in 2024, as…
Beijing reportedly begins blocking the use of Intel and AMD chips in government computers, and…
Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…
Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…
Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…
Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…