Wi-fi certification program dials down security requirements

Wireless network device industry organisation the Wi-Fi Alliance has released the final version of the WPA3 (wi-fi protected access) certification program, with just one out of four key new security features being mandatory for makers of wi-fi enabled equipment.

WPA3 is the successor to the current WPA2 program that started in 2006, and first broke cover in January this year.

The new standard comes after widespread concerns over the key reinstallation attack, or KRACK, which was made public by security researcher Mathy Vanhoef in October last year, menacing millions of wi-fi devices worldwide.

Vanhoef was able to show that the KRACK attack could exploit a weakness in the encryption implementation of the current WPA2 protocol and use it to capture sensitive data such as passwords, credit card details, chats, photos and more.

The Wi-Fi Alliance will now test both WPA2 and WPA3 devices to ensure that they validate digital server certificates properly and are patched against the KRACK attack.

Beyond KRACK patches being mandatory, in an analysis of the final WPA3 release, Vanhoefen declared it "a missed opportunity".

He explained out of the four major new features signalled earlier this year, only one - the dragonfly handshake - is mandated under the WPA3 certification program.

Dragonfly handshakes prevent dictionary attacks against the authentication mechanism of wi-fi routers.

Vanhoefen noted that the replacement for the current insecure wi-fi protected setup (WPS), the wi-fi easy connect that uses the device provisioning protocol (DPP), is not a mandatory part of WPA3.

Nor is the wi-fi enhanced open feature that tries to establish encryption for open hotspots, or the WPA3-enterprise mode that support key sizes offering the equivalent of 192-bit security.

With only the new dragonfly handshake being required under the uprated certification program, "I fear that in practice, this means manufacturers will just implement the new handshake, slap a 'WPA3 certified' label on [the device], and be done with it," Vanhoefen said.

"The Wi-Fi Alliance missed an opportunity to truly improve the security of wi-fi networks," the security researcher added.

WPA3 will be interoperable with the features in the older WPA2 certification program.