A couple of decades ago, when Wi-Fi was first made available, it relied on the Wired Equivalent Protocol, or WEP. As Wi-Fi gained popularity, it became clear that WEP contained a massive security flaw that could allow a hacker to effortlessly gain access to a wireless network. As such, the WEP protocol was quickly abandoned in favor of the Wi-Fi Protected Access (WPA) protocol. Over time, WPA gave way to the WPA2 protocol that most people use today. The point is that security standards evolve over time. The WPA protocol that was once considered to be cutting edge is insecure by today’s standards. And while the evolving nature of security standards may seem quite obvious, there is another issue that must be considered--the semi-permanent nature of Wi-Fi hardware.
Now, please do not misunderstand me. There is of course no rule stating that once a wireless access point has been installed it must become a permanent fixture. The reason why I referred to Wi-Fi hardware as semi-permanent is because it tends to have greater longevity than other types of IT hardware.
Most large organizations have adopted a hardware refresh cycle for network servers, storage, desktop PCs and that sort of thing. Desktop PCs, for example, are commonly placed on a five-year refresh cycle. Such a schedule helps to simplify IT budgeting by making expenditures easier to predict. It also helps to prioritize the replacement of an organization’s oldest hardware.
Wi-Fi hardware is often treated differently, though. Wi-Fi is one of those things that people tend not to think about unless it stops working. As such, there may not be any sense of urgency associated with periodically replacing Wi-Fi hardware.
In some ways, retaining Wi-Fi hardware for an extended period of time makes sense. From a security standpoint, a wireless access point that was purchased last year may not be all that different from one that was purchased a decade ago. Believe it or not, WPA2 enabled Wi-Fi hardware first became available way back in 2004, and is still in use today.
Given WPA2’s longevity, it would be easy to assume that the protocol has been proven to be so secure and reliable that manufacturers have decided to take the “if it isn’t broke, don’t fix it” approach. However, this simply is not the case.
The WPA2 protocol is at least 15 years old at this point, and it is really beginning to show its age. There are a multitude of documented vulnerabilities related to WPA2. For example, there are several password cracking attacks that have been proven to be effective against WPA2. There are also techniques that a hacker can use to hijack a TCP connection and inject malicious packets into the conversation with a host.
Thankfully, the WPA protocol is getting a new lease on life. Late last year, the third generation of the protocol (WPA3) was introduced. WPA3 improves Wi-Fi security in a few different ways. For starters, the protocol uses 128-bit encryption, which is a definite improvement over WPA2. Perhaps more importantly, WPA3 introduces a new feature called the Simultaneous Authentication of Equals. This security feature, which is more casually known as SEA or as the Dragonfly Handshake, is designed to prevent hackers from being able to perform a dictionary-based login.
Unfortunately, WPA3 isn’t perfect. Several vulnerabilities have already been discovered. The largest vulnerabilities, however, stem from WPA3’s backward compatibility with WPA2. This backward compatibility is designed to allow older devices to be used with newer access points, but can potentially allow a hacker to perform a downgrade attack.
Fortunately, there are a few things that you can do to keep your wireless network secure. First, go ahead and start replacing aging Wi-Fi hardware with newer WPA3 devices. Even if your wireless clients are not yet running WPA3-capable devices, the newer access points may offer other security features that your current access points do not have.
Once the new hardware is in place, set a date by which users will be required to use only WPA3 devices. Doing so will eliminate any possibility of a downgrade attack (assuming that the access point lets you disallow WPA2 traffic).
Most importantly, force the use of long, complex, and unique Wi-Fi passwords. Many of the attacks being used against Wi-Fi today (the so-called Dragon Blood exploits) are ineffective against sufficiently long and complex passwords, so long as those passwords are unique.