WPA3 Wi-Fi security gets certified
But some researchers claim new standard doesn’t go far enough.
Wi-Fi devices have been using the decrepit WPA2 security protocol since it first started rolling out in 2004, and the Wi-Fi Alliance — the organisation that looks after Wi-Fi standards — has now finally begun certifying its successor, WPA3, some14 long years later. WPA3 debuts Simultaneous Authentication of Equals (SAE), a security protocol that provides better defences against potential password guessing attempts, as well as Protected Management Frames (PMF) to defend against malicious parties eavesdropping on data transmissions. Homes using WPA3-supported routers can expect a tougher system of password-based authentication, even when they choose a weak password, while WPA3-Enterprise protocol for businesses could have ramped-up 192-bit encryption to protect their data. WPA3 also features Easy Connect, a new system which makes it easy to hook up IoT devices by just scanning a QR code. While most security experts are excited by these changes, Mathy Vanhoef — credited for discovering the key reinstallation attack, aka KRACK, in October 2017 — claims WPA3 is “a missed opportunity”. He explains that, out of the four new features announced, only the SAE (or dragonfly handshake) is mandatory for WPA3 certification. “I fear that in practice, this means manufacturers will just implement the new handshake, slap a ‘WPA3 certified’ label on [the device], and be done with it,” Vanhoefen said.