It’s summer vacation season, so those Trivago ad campaigns are in overdrive.
But the Trivago Guy obviously isn’t a seasoned business traveller. If he was, he’d spend less time testing hotel mattresses and more time worrying about hotel Wi-Fi security.
This security thing is not fake news.
Last summer, Russian hackers targeted hotel Wi-Fi to try to steal passwords from Western government officials and business executives travelling in Europe and the Middle East. According to cybersecurity firm FireEye, the Russian group climbed through the same open hotel Wi-Fi window, so to speak, to successfully breach the laptop of a U.S. government employee in 2016.
Will the new WPA3 security standard nix these public Wi-Fi tricks?
Yes, says the Wi-Fi Alliance. When the global industry consortium of Wi-Fi players recently unveiled WPA3, safer public Wi-Fi was just one of the benefits it touted. Here are more details on that and other major features of WPA3.
Public Wi-Fi: While WPA2 requires password authentication for security, WPA3 automatically encrypts the connection when you use an unsecured Wi-Fi network in public spaces like coffee shops, airports and (the Trivago Guy might be glad to know) hotels.
Personal WPA3: There are two versions of WPA3, and this one is designed to save us from our own password foibles. Even if you pick a weak password, WPA3 applies Simultaneous Authentication of Equals (SAE), shielding your connection from KRACK hacks and third-party ‘dictionary attacks’ that try to guess your password.
Enterprise WPA3: Aimed at safeguarding the transmission of highly sensitive data (such as government, healthcare and finance), this version boosts the cryptography to a minimum strength of 192-bit.
Interoperability: “As the Wi-Fi industry transitions to WPA3 security, WPA2 devices will continue to interoperate and provide recognized security,” according to the Wi-Fi Alliance announcement.
Easy Connect: Many IoT devices don’t have display interfaces or input mechanisms, making Wi-Fi onboarding kind of a drag. Through Easy Connect, users can securely add such devices to a Wi-Fi network by simply scanning a QR code with their smartphone.
Knowing all of that about WPA3, the burning question for IT pros is …
Will WPA3 actually be more secure?
Joshua Wright of cybersecurity firm Counter Hack pointed out in Wired that “an attacker can impersonate the access point and then turn [WPA3’s automatic encryption] feature off.”
In the same article, however, Wright says the Wi-Fi Alliance’s move to develop WPA3 in a far more open and collaborative manner than it did with WPA2 can only bolster WPA3’s security as it’s road-tested by the IT community.
Speaking of the community, Spiceworks put this question to members of its online cybersecurity forum (affectionately dubbed SpiceHeads): “How confident are you the WPA3 protocol will make Wi-Fi networks more secure?”
Most respondents — a combined total of 53 per cent — were extremely or fairly confident and just 14 per cent were “not at all confident.” It bears noting, however, that the poll was taken in January, before the official WPA3 specs had been revealed.
Still, the comments section of the poll suggests the overriding concern of IT pros around WPA3 is interoperability. Namely, how soon will enterprises have to buy WPA3 hardware?
The Wi-Fi Alliance addressed that (sort of) in a news release, saying “WPA2 will be available in Wi-Fi Certified devices for the foreseeable future, and all devices supporting WPA3 will continue to work with WPA2 devices.”
Here’s how Kevin Robinson of the Wi-Fi Alliance expanded on that in Wired:
“Even at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect.”
A more cynical view of the interoperability transition phase was painted by this comment posted in the Spiceworks poll:
“[WPA3 is] a great revenue stream for hardware vendors who will stop patching current gear and insist you buy the new WAPs [Wireless Application Protocol browsers] if you want WPA3.”
The first hardware made specifically for the WPA3 market isn’t expected to hit the market until late 2018 or early 2019. Ultimately, though, organizations will have to invest in WPA3 gear when the Wi-Fi Alliance starts phasing out WPA2 support and updates. No one knows exactly when that will happen.
To put it into perspective, WPA2 is still supported today, 12 years after it became required for all Wi-Fi Certified devices in 2006, and 14 years after the WPA2 standard was launched in 2004.
As suggested by one SpiceHead’s comment, perhaps the best WPA3 advice for all organizations is this: “Adapt and overcome.”
Image: shapecharge via iStock