Why Wi-Fi Hacking Will Persist Despite WPA3

By Ryan Orsi, Director Product Management, WatchGuard Technologies

In 2017, the famed Key Re-installation Attack or “Krack” attack shocked the world by defeating WPA2 encryption. As a result, the Wi-Fi industry has rallied to release WPA3 with improved security protections. Unfortunately, WPA3 alone will not be enough to stop Wi-Fi attacks; not by a long shot. Before we explore why this is, let’s take a step back and examine the appeal of Wi-Fi attacks in the first place.

The Wi-Fi attack surface is one of the most desirable to hackers for a variety of reasons. Just about any Wi-Fi network is highly exposed to vulnerabilities attackers can use to steal sensitive data, eavesdrop, and infiltrate further into the network. Why is it such an easy target? Nearly every cybersecurity company focuses on layer 7 application attacks (such as zero-day malware and ransomware), while historically very little effort has been made to defend against layer 2 Wi-Fi attacks. In fact, protections for layer 2 have only recently been introduced, leaving 20 years’ worth of Wi-Fi access points, routers, and clients wide open to attack.

A primary goal for most Wi-Fi attackers is to gain a position as the “man-in-the-middle (MitM).” This involves tricking a victim’s device into believing it’s connected to the internet through a legitimate Wi-Fi SSID, when in reality, an attacker is broadcasting the SSID and the victim’s traffic is flowing directly through to the attacker, allowing them to see everything the victim is doing, typing, watching and more. This type of attack is surprisingly common, and much easier to fall victim to than you might think.

Back to the problem at hand. As I mentioned, the Krack attack roused the industry to develop WPA3, with security enhancements designed to address the shortcomings of its predecessor, WPA2. WPA3 contains a Personal and Enterprise implementation and its security improvements include the forced use of Protected Management Frames (PMF), which protect against eavesdropping on unicast and multicast management frames and the replacement of WPA2’s 4-way handshake and Pre-Shared Key (PSK) system with Simultaneous Authentication of Equals (SAE). This essentially eliminates offline dictionary attacks. These security enhancements will help eliminate the various tricks and tools attackers have been using for years to intercept WPA2’s 4-way handshake packets, and upload to multiple free services that advertise “recovering your Wi-Fi password”.

Open Wi-Fi networks supporting WPA3 also have improvements intended to prevent eavesdropping. Referred to by the Wi-Fi Alliance as “WPA3 Enhanced Open,” Wi-Fi networks that don’t require passwords will utilize Opportunistic Wireless Encryption (OWE), where each device will receive its own key. This will prevent others on the same open network from sniffing packets out of the air.

But despite these welcome security improvements, at least one of the six Wi-Fi threat categories – Rogue AP, Rogue Client, Evil Twin AP, Neighbor AP, Ad-Hoc Networks, and Misconfigured APs – can still be used to compromise WPA3 networks. Each of these types of threats represent a unique method attackers can use to either position themselves as a MitM or eavesdrop on network traffic silently. That’s why more and more IT departments are creating Trusted Wireless Environments that are capable of automatically detecting and preventing Wi-Fi threats. Relying on WPA3 alone for Wi-Fi security is a mistake.

Take the Evil Twin AP attack, for example. This threat is very likely to be used in Enhanced Open Wi-Fi networks, since OWE can still take place between a victim client and an attacker’s Evil Twin AP that is broadcasting the same SSID, and possibly the same BSSID as a legitimate AP nearby.  Although OWE would keep the session safe from eavesdropping, the victim’s Wi-Fi traffic would flow through the Evil Twin AP and into the hands of an MitM, who can intercept credentials, plant malware, and install remote backdoors. One massive issue with WPA3 it doesn’t account for the fact that users and devices connecting to an SSID still have no way to confidently know that the SSID is being broadcasted from a legitimate access point or router. The SSID can still be broadcasted, with WPA3 enabled, from a malicious Evil Twin AP for example.

Don’t get me wrong, the emergence of WPA3 is a solid step forward toward addressing today’s significant Wi-Fi security issues. That said, it should be looked at as a complimentary security control rather than a cure-all. Any organization operating a Wi-Fi network needs to ensure that they’ve built a Trusted Wireless Environment that can identify and defend against Wi-Fi threats automatically. This way, the access point deployment itself prevent users and devices from connecting and falling victim to malicious threats. How much trust can you put into your wireless environment?

About the Author

Ryan Orsi is Director of Product Management at WatchGuard Technologies, a global leader in network security providing products and services to more than 80,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive wireless products to the WLAN, IoT, medical and consumer wearable markets. As a VP of Business Development in the RF industry, he led sales and business development teams worldwide to success in direct and channel environments. He holds MBA and Electrical Engineering degrees and is a named inventor on 19 patents and applications.