New Wi-Fi Standard Shakes Up SecurityThursday, January 11, 2018
Main vulnerabilities in WPA2 set to be nullified by incoming Wi-Fi standard
In a long-awaited move, the worldwide network of companies that collaborate on Wi-Fi, the Wi-Fi Alliance, have announced a new security standard to replace the aging WPA2 standard.
The new standard, WPA3, will rollout during 2018, according to the Alliance, and features several significantly improved security functions; intended to keep user data safer.
The WPA3 standard will provide four major security planks, two designed to mitigate weak password creation by users and also enable easier configuration of devices that have limited or no display interface, such as IoT devices.
Another feature will strengthen user privacy in open networks through individualized data encryption. Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defence, and industrial.
“Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance. “The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections.”
WPA3 will provide a welcome upgrade for the 14-year-old WPA2, which suffered a significant defeat in 2017, when researcher MathyVanhoef of imec-DistriNet, KU Leuven unveiled the KRACK Attack in October. The ingenious attack takes advantage of main management vulnerabilities in the WPA2 security protocol, which allow adversaries to develop a key reinstallation attack.
The discovery meant that all Wi-Fi networks were potentially hackable, even when running a best practice architecture and properly configured WPA2. Although vendors have pushed out patches for many of the vulnerabilities below, implementation is still patchy, making the deployment and adoption of a new, more secure standard a vital development.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to the KRACK-related vulnerabilities:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunnelled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Until the new WPA3 standard is published and implemented best-practice Wi-Fi security involves the usual mix of deploying vendor patches, correct initial configuration and ideally implementing additional network encryption such as HTTPS or a VPN.
Of course, HTTPS can be bypassed in a number of situations, so should not be completely relied upon, but it is certainly a good time to test your HTTPS implementation with High-Tech Bridge’s free SSL/TLS checker.