Better News About WPA3 Device Support

[thiggins]

(Image credit: Actiontec)​

The WPA3 Certification announced yesterday revealed that only one of the four mechanisms described when WPA3 was first announced earlier this year is included in the Certification.

The mandatory Simultaneous Authentication of Equals (SAE) method replaces WPA2's four-way session key generating "handshake" that was vulnerable to the KRACK attack and offers protection against dictionary attacks in general. Since it occurs only during the AP-STA authentication process, SAE doesn't significantly increase processor load.

The upshot is that this watered-down definition of WPA3 should be able to be added to devices that currently support WPA2. So rip-and-replacing all your current Wi-Fi gear to get improved security should not be necessary.

The "will they/won't they" (upgrade existing stuff) question now boils down to how vendors view the priority of supporting existing products vs. pumping out new stuff. So I asked Qualcomm, Linksys and NETGEAR for their official word on plans to support WPA3 on existing Wi-Fi products. The question posed to each was "Could you please comment on your plans to support WPA3 in existing products?".

Since Qualcomm is at the top (or bottom) of the Wi-Fi food chain, let's start with them.

"Qualcomm expects to incorporate WPA3 security features into chipsets in summer 2018 for mobile devices beginning with the Qualcomm® Snapdragon™ 845 Mobile Platform and on all Wi-Fi networking infrastructure products. We are supporting WPA3 on new SW releases (per timeline indicated above). Any vendor who ports the latest SW release for any AP product we supply, will support WPA3. This would include IPQ40xx family."

This felt a little wiggly, so I asked for confirmation whether WPA3 will eventually be supported "in all Wi-Fi devices in Qualcomm's current catalog and going forward, both AP and STA (client) devices". The response:

"Any network infrastructure product (based on AR,QCA,IPQ chip/set) that ships, starting this summer, will support WPA3. Any mobile device SD845 or higher, supports WPA3."

Pretty encouraging, particularly since if Qualcomm doesn't upgrade drivers, ain't nothin' gonna happen downstream.

Next up, Linksys offered a definite maybe...

”Linksys plans to support next generation WPA3 security. This functionality is highly dependent on the Wi-Fi chipset provider, thus support will be on a case-by-case basis. If legacy products are supported, Linksys will deploy automatic firmware updates to all enabled products. In many cases, WPA3 support will be offered in newer chipset and products. More details will be released at time of availability.”

Finally, NETGEAR replied:

"We (NETGEAR) are working with our partners integrating latest security protocol WPA3 in our home networking products. We will inform media and customers when this update is available. Based on our investigations, we deem that it’s highly likely that the majority of products should be able to make use of the feature by updating firmware on existing product.

WPA3 has two components – Personal and Enterprise. Our statements are only in context of Personal WPA3. Enterprise version is supposed to add 192-bit encryption and may impact hardware."

I belatedly reached out to ASUS and will update this post with their response when I receive it.

 

[Killhippie]

Thats great news, much better tghan the thought that my newly purchased 2018 OLED TV and my XR500 router may now not be obsolete Wi-Fi wise as I am not buying a new TV in a long long time.

 

[thiggins]

Thats great news, much better tghan the thought that my newly purchased 2018 OLED TV and my XR500 router may now not be obsolete Wi-Fi wise as I am not buying a new TV in a long long time.

Nothing is guaranteed. I wouldn't hold my breath for a WPA3 upgrade for the TV....

 

[RMerlin]

Yeah, TV manufacturers are notoriously bad at keeping their software stack up-to-date. Smart TVs are generally a bad idea in the long run, better to spend money on a discrete box instead that will get better software support, and will also be cheaper to replace in a few years than the whole TV.

If you want something high-end, the nVidia Shield TV is the box to get. I recently replaced my NAS (running Kodi) and my Chromecast with one. Cheaper alternatives like Roku, or even just a plain Chromecast paired with a smartphone are also worth considering, based on your needs.

 

[avtella]

Agreed, looked at Shield and is probably the best pick at the moment but with free Roku’s coming in every other year for betas I’m gonna stick with those for now.

 

[Trebuin]

Yeah, TV manufacturers are notoriously bad at keeping their software stack up-to-date. Smart TVs are generally a bad idea in the long run, better to spend money on a discrete box instead that will get better software support, and will also be cheaper to replace in a few years than the whole TV.

If you want something high-end, the nVidia Shield TV is the box to get. I recently replaced my NAS (running Kodi) and my Chromecast with one. Cheaper alternatives like Roku, or even just a plain Chromecast paired with a smartphone are also worth considering, based on your needs.

Plus, governments spy on you through your smart TV.

 

[Killhippie]

Nothing is guaranteed. I wouldn't hold my breath for a WPA3 upgrade for the TV....

Its an Android TV so it may get an update, time will tell...

 

[quadra2030]

The problem is, Smart TV crap is everywhere.. find me an OLED TV without all this sw crap (full of security bugs and slow), but with quality picture scaler (at least on Sony A1 level) and SMB client for playback (with good MKV implementation) and that would be winner for many people!

 

[thiggins]

The problem is, Smart TV crap is everywhere.. find me an OLED TV without all this sw crap (full of security bugs and slow), but with quality picture scaler (at least on Sony A1 level) and SMB client for playback (with good MKV implementation) and that would be winner for many people!

Just don't connect the TV to a network...
Every TV these days also supports 3D and I don't use that either.

 

[quadra2030]

That's the way I have my LG OLED TV installed connected to Apple TV, had nVidia Shield for testing, too many issues (correct framerate without skipping, bad upscaling quality compared to Sigma hw chipset like Popcorn or Dune network players, Apple TV has issues too, but is definitely closer to them)..

 

[Killhippie]

The problem is, Smart TV crap is everywhere.. find me an OLED TV without all this sw crap (full of security bugs and slow), but with quality picture scaler (at least on Sony A1 level) and SMB client for playback (with good MKV implementation) and that would be winner for many people!

I have the Sony A8 and its great as far as having it connected I don't mind it being hooked up, I turn off all the google stuff and Samba crapola and love Netflix with HDR and Dolby Vision Amazon Prime with HDR and Dolby Vision and BBC iPlayer with (no 3D as thats been phased out) the same and YouTube all without an extra box. Also I don't have to think about checking for firmware updates and apps are updated weekly (You Tube, BBC iPlayer etc) to fix bugs. Anonymity online is near on impossible now. Even with a decent VPN, script blocking ad blocking etc they can still follow you around by what your blocking habits are it seems now, your bank card is leaking like a sieve when its in a shop thanks to its RFID chip (yes I have a Faraday wallet) You cant win.

In the end though I block as much as I can but if I wanted to remain anonymous completely I would be living off the grid with electricity from a generator, no TV no Internet, and killing my own food... making my own clothes and living as a hermit. Every piece of tech we have has bugs, the OS you are typing on does, your phone does, I really have not got time to make a tinfoil hat for my home but I take precautions to limit as much as I can while still enjoying the benefits of the tech I have. After all that Apple TV is leaking like a sieve as well @quadra2030, all this stuff does.

 

[thiggins]

Folks, please stay on topic, which is WPA3...

 

[Killhippie]

It will be an interesting time, I think companies will have to try as much as they can to retrofit where possible firmware for WPA3 because buying new routers and Clients will be a major headache for most and lead to WPA3 not picking up pace for a few years. The changes in WPA3 seem to show that, but how well that will go down in the security community is another thing altogether. I guess its a case of having to balance all new hardware being needed and consumer buying cycles as well. New phones, computers, tablets etc and routers seem to be less important to people as they are perceived as not more powerful than what they have already so people keep hold of them longer, so backporting WPA3 by changing what's in the certification is easier but has security been compromised?

 

[Razor512]

Agreed, adoption of new hardware can be a major barrier (it did not work out for 802.11ad). If they put profits ahead of security, WPA3 will have a massive uphill battle. they need to examine all commonly owned hardware going back multiple years, and see what can handle it.

For example, I don't see why a snapdragon 835 or even a snapdragon 820 SOC cannot handle WPA3 as the WiFi back end does not seem to have really changed. It simply seems like a business decision to exclude hardware that could otherwise handle WPA3, especially for a standard that the vast majority of users do not even consider or think about.

 

[RMerlin]

Agreed, adoption of new hardware can be a major barrier (it did not work out for 802.11ad). If they put profits ahead of security, WPA3 will have a massive uphill battle. they need to examine all commonly owned hardware going back multiple years, and see what can handle it.

For example, I don't see why a snapdragon 835 or even a snapdragon 820 SOC cannot handle WPA3 as the WiFi back end does not seem to have really changed. It simply seems like a business decision to exclude hardware that could otherwise handle WPA3, especially for a standard that the vast majority of users do not even consider or think about.

Governmental bodies need to start applying pressure on manufacturers. WPA3 isn't just a random feature improvement, it's a necessary security fix to a flawed mechanism. This should therefore be considered a matter of security. If the requirements are purely software, then pressure should be applied on manufacturers to fix it.

 

[sfx2000]

Folks, please stay on topic, which is WPA3...

I agree - please keep in mind that any AP that supports WPA3 will also support WPA2, as WPA2-AES is a requirement in the core 802.11 specs, esp for 802.11n and 802.11ac - as previously mentioned, some vendors may provide updates in the interim, and I think that the first WPA3 clients likely will be mobile phones, just because of product cycle that they're in with major annual updates across the product lines.

As long as the AP supports WPA3, one can soft-roll into full WPA3 as one does now with equipment upgrades/updates...

This would apply both the the home/small business, as well as the enterprise where product lifecycle tends to be long, e.g. 36-60 months is not unusual these days before laptops/desktops are decommissioned.

Going to WPA3 and the enterprise - that might be more of an issue, depending on the state of WLC's and Auth Centers, which may have dependencies if there are new mandatory information elements that need to be supported. Might or might not, IMHO, as I have not been able to get a copy of the formal WPA3 specifications yet...

 

[sfx2000]

WPA3 isn't just a random feature improvement, it's a necessary security fix to a flawed mechanism.

I don't see WPA2 (either Personal or Enterprise) as a major security risk, it's still very robust, esp. Enterprise, and WPA2-Personal can be similar with a strong enough passphrase and using WPA2-AES for auth and ciphering...

Yes, there have been issues in the past - KRACK is a good example, but that wasn't a flaw in WPA2, but a flawed implementation of the chipset drivers in current/legacy equipment.

One thing I would like to see is for the vendors to fully remove WEP (any flavor) and WPA1-TKIP and WPA2-TKIP, aka WPA2 mixed mode - that mixed mode operation does have flaws that can be exploit via the group key being TKIP and not AES.

There's no real need for it any more, and this would simplify device driver development...

 

[sfx2000]

One thing I would like to see is for the vendors to fully remove WEP (any flavor) and WPA1-TKIP and WPA2-TKIP, aka WPA2 mixed mode - that mixed mode operation does have flaws that can be exploit via the group key being TKIP and not AES.

One of the key things that I do applaud is the recognition that WPS is very broken, and needs to go away and replaced with something that is (1) better/more secure, and (2) easier to use for end-users, and (3) makes development more consistent.

WPS was, and is, overly complicated for the problem it was trying to solve, for both end users (pin or pushbutton) and developers because they needed to cover multiple approaches, which is why critical bugs are still there...

The working group attempted to resolve the WPS problem with the WPA3 spec, but I can understand that it was out of scope, since WPS is not part of WPA2/WPA1, or the supporting IEEE 802.11 specs...

 

[thiggins]

eero says they'll "eventually" support WPA3.
https://blog.eero.com/everything-need-know-wpa3/

 

[umarmung]

Still no news from Broadcom nor Asus?