The news a few months back about the discovery of the KRACK vulnerability seemed to expose what many security experts have known for a while, that WPA2 has weaknesses and needs to be improved. Notice I said “weaknesses” as just to be clear, WPA2 is not broken. There is no wide open door ready for hackers and mischievous persons to walk right through and grab all your data bits 🙂 However with the evolution of technology, there are always weaknesses exposed and the need to strengthen the security of any protocol. We’ve seen the push from HTTP > HTTPS for example across the internet a few years back, and if you’re still using HTTP….shame on YOU! Now, it’s time to do the same for wireless security. By that, I don’t just mean implement a few things that are optional.
For a number of months now, there has been a document before the IEEE looking at ways to do just that and increase wireless security as it stands today. The efforts that have been mentioned more frequently since Jan. 2018 are known as WPA3, or Wi-Fi Protected Access v3. There are four main improvements that WPA3 focuses on, but for this article the area I’d like to focus on is found in RFC 8110 – Opportunistic Wireless Encryption, or OWE for short. The efforts behind this RFC come from Dan Harkins (HPE/Aruba) and Warren Kumari (Google) and centers around the need to provide unauthenticated encryption of wireless transmissions from stations. In laymen’s terms, there is an ever increasing need for the ability to secure wireless traffic from devices without adding the burden of security methods such as 802.1X upon end users. In even simpler terms, it will keep your data encrypted when you walk into Starbucks, McDonalds, etc and connect to the open wireless network. While IMO there is no security protocol that is ever truly unbreakable, this goes a long way to ending data leakage from public hotspots by people with sniffers. While the number of users that were capable of understanding how to obtain this information a decade ago may have been pretty low, the availability of tools and platforms today that can do this for you shows the need for security to “catch up”.
Now before you go and say security is difficult and no one will do it, keep in mind that OWE is taken care of automatically if you will. According to the RFC document,
“OWE is a replacement for 802.11 “Open” authentication. Therefore,
when OWE-compliant access points are discovered, the presentation of
the available SSID to users should not include special security
symbols such as a “lock icon”. To a user, an OWE SSID is the same as
“Open”; it simply provides more security behind the scenes.”
To be a bit more technical, OWE does not include ANY identity information such as that found during an 802.1X authentication. The device will still be “unknown” outside of the standard information such as MAC address, IP, and anything that is scavenged from the DHCP process or from scraping header information from HTTP traffic for example. The client device wishing to use OWE will look for beacons in the air that are advertising an Authentication and Key Management (AKM) suite for OWE. After information (elements) are added to assoc request/response frames, both the AP and Client append their public key to their respective frame. Once this association has been negotiated and completed, the devices complete the key exchange process (you can read more about these keys here in my previous blog) the connection is established and secured.
You need to do nothing more than what you do today when you click on a wireless network to connect. How hard is that? That’s what I thought you’d say…it’s not hard at all. The important thing to note is that OWE does NOT provide for end to end data security. That’s not the goal. The goal is to simply protect the data between the device and the access point and let the network perform its normal responsibilities from that point forward. We all know that when you put a group of people with different viewpoints into a room each and every one has their own agenda, or in the case of the Wi-Fi Alliance group, various company agendas. While I understand the cost of potential resources to develop, test, and implement new protocols and standards into technology isn’t exactly cheap or easy, this one would be a monumental step in helping secure the most popular access method in networks today. We’ve reached a point with the number of devices connecting to wireless networks and the importance of keeping the data safe has surpassed the need for agendas and greed by those that chose not to improve the technology, but rather keep it lagging behind.
If you agree that the need for additional security is needed, please help encourage the Wi-Fi Alliance and its representatives to push this across the finish line and have it ratified as part of the WPA3 protocol. Better methods need to be REQUIRED parameters that are only backwards compatible in a limited fashion (for example only support WPA2 & newer moving forward). Now, I know the complaints will pour in about alienating a number of devices (some critical for business purposes) but in due time all wounds heal. Devices can be replaced, as the cost for doing so is way less than the cost of a potential massive data breach. The bandaids for security should no longer be acceptable for end users and businesses alike. After all, everyone stands to lose with weak security practices.
Love your feedback.