Keeping up with the security industry (well IT in general to be honest) is a challenging task to say the least. I like to think I do a relatively good job, but every once in a while you realise something has managed to completely pass you by! This happened recently to me when a colleague mentioned in passing that “802.11ax supports encryption on open SSIDs”. After having a look into it this isn’t strictly speaking true, the capability is actually provided by the new WPA3 standard, but I was left wondering how on earth I missed this. This post will have a look at some of the security improvements WPA3 brings over its predecessor – WPA2.
The problems with WPA2
The current security standard for wireless networks (WPA2) comes in two flavours – personal (pre-shared-key) and enterprise (RADIUS based EAP/802.1x). Additionally SSIDs can be left in an “open” mode which offers no protection and is typically used for guest/hotspot access.
Open SSIDs clearly offer no protection to the users of the network. This has meant that guest access such as that seen in enterprises and coffee shops/hotels up and down the country offers no privacy and allows for easy man in the middle attacks. This is one of the reasons that TLS (more specifically HSTS) is so vitally important for end-user security. But the better option of course would be to have the data encrypted over the air.
Ok so what about using a pre-shared-key then? Well… that’s not much better either. Anyone within range of the radio signals who also has the key can snoop on the communications (assuming they capture the relevant handshake process). An improvement (it keeps those without the key at bay) but not great from a privacy/security perspective. Pre-shared keys were also easily susceptible to offline brute force attacks.
WPA2-Enterprise must be the answer then! Well yes, it is by far the best from a security perspective, but even that has had its fair share of issues. Often enterprises rely on staff usernames/passwords (and we know that humans tend to be bad when it comes to passwords) and there was a weakness discovered in the protocol that allows for an attack known as Key Reinstallation AttaCKs (KRACK). This attack worked against all modern wireless networks and could allow an attacker to read information that had been previously encrypted.
WPA3 has been redesigned to address a bunch of the issues with WPA2. That being said, recently discovered vulnerabilities in the standard have brought into question how well the protocol works – more on that here.
Putting that to the side for one moment, lets have a look at some of the improvements that WPA3 brings over WPA2.
Open SSID encryption
Yes, yes yes! A major improvement over WPA2. WPA3 allows for something now as Opportunistic Wireless Encryption (OWE) or as its known in WPA3 – “Enhanced Open”. This means that your typical hotspot wireless found in hotel, pubs, shopping centres and enterprises up and down the country can now provide privacy and security. It also offers management frame protection to help protect against the disassociation attacks typically seen to cause clients to re-perform their initial handshake.
Without going into too much detail, the process relies on Diffie-Hellman key-exchange to be able to generate unique keying material per device. Even better, it is transparent to the end-user. No more mistyped pre-shared keys or difficulty connecting to networks.
As far as I can tell from what I’ve read, OWE is not an official part of the WPA3 standard. Its implementation in wireless solutions is not mandatory and vendors can choose to implement it or not – here is to hoping they do.
Simultaneous Authentication of Equals (SAE)
Simul-what? Issues with WPA2’s handshake process means that attackers could easily capture handshake data and crack it offline without interaction with the wireless access point. Bad news for those with weak pre-shared-keys.
Without getting into the details, SAE essentially means that this offline attack vector won’t be possible. In order to crack a pre-shared-key, an attacker would have to interact with the wireless access point which will drastically slow down the brute force process and/or allow for client blacklisting.
Unfortunately this SAE process seems to be at the centre of the recent weaknesses in WPA3, so maybe it isn’t quite all its cracked up to be.
Perfect Forward Secrecy (PFS)
What if SAE didn’t slow down the attacker enough and they are successful in guessing the key? Well, you’re probably not in for a good day and no doubt wondering why you thought “Wir3l3ss2019” would make a secure key! That being said, one slight upside is that the attacker can’t decrypt traffic that they may have previously captured. Much like ECDHE ciphers with TLS, WPA3 provides perfect forward secrecy.
WPA3 when used in enterprise mode also offers the option for strong 192-bit encryption for use in high-security environments.
WPA3 also brings with it other improvements such as better onboarding methods for screenless devices (think devices such as Amazon Echos and the likes) using a process named WiFi Easy Connect, but these don’t excite me as much!
WPA3 is still pretty new in the grand scheme of things and I think it will be a while before we start to see it in widespread use. Whilst it is already available in some vendor implementations, it is not something I’ve come across yet.
If you’re aware of which vendors currently support WPA3 (either from client or network infrastructure perspective) then drop me a comment to let me know! Otherwise it will be interesting to see how things pan out, particularly given the early weaknesses found.
Whilst not an in-depth look at WPA3, hopefully this post has helped give a bit of insight to others who, like me, somehow missed aspects of what WPA3 brings from a security perspective.
2019-04-12 01:00 +0100