Why there is an urgent need for a new, smarter Wi-Fi protocol
Worldwide, the number of connected devices currently sits around 20 billion, and is expected to reach over 75 billion by 2025. This massive growth also goes hand in hand with an increased dependence on Wi-Fi connections, especially given the proliferation of smartphone, tablet and IoT device use across the globe. Apple has even gone so far as to drop ethernet ports from its laptops.
However, as our dependence on Wi-Fi grows stronger, the need to ensure adequate security of our online connections has taken on more importance than ever. And our current Wi-Fi security protocol just doesn’t cut it.
Last October a security expert at Belgian university KU Leuven uncovered a vulnerability (named KRACK) in the modern wireless security protocol WPA2 that was able to expose sensitive information such as credit card numbers and passwords that were accessed on “all modern protected Wi-Fi networks.” In a publication about the discovery, the researcher explained the extent of the vulnerability, pointing out, “if your device supports Wi-Fi, it is most likely affected.”
With the expected growth of connected devices and the concurrent reliance upon Wi-Fi, this recent attack should come as a wake-up call regarding the urgent need to develop a new, smarter Wi-Fi protocol.
Why are we still relying on an outdated system?
The modern WPA2, our current system of wireless security protocol, was launched in 2004 -- the same year that Facebook was founded and iPod sales took off -- and obviously things have changed since then.
Wi-Fi Alliance has traditionally been charged with the responsibility of overseeing the development of Wi-Fi protocols and working with manufacturers to deal with security and encourage users to use safe passwords. However, the organization’s response to the recent vulnerability demonstrates that they are not dealing with the real issue at hand.
Instead of recognizing the need for a new security protocol, the organization responded by praising quick fixes like patches to sidestep the major security vulnerability. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users,” reads the press release.
Nevertheless, the need remains to overhaul WPA2 and develop a smarter protocol that can keep up with the industry’s rapid technological advances.
To be fair, doing so would be no easy task. A major challenge is that Wi-Fi has to work with various hardware, and it would be challenging to create a new Wi-Fi security protocol that is compliant with all existing devices and widely adopted. Changing the Wi-Fi protocol could mean that individuals using legacy systems would be cut off from the internet due to compatibility issues, which is a problem organizations like Wi-Fi Alliance are not ready to face.
Additionally, manufacturers are not pushing for better protocols either. Tech companies and chip manufacturers have the resources and research teams to create a better protocol, but recognize the same challenge. As users have not yet demanded a better standard, these companies are not taking the steps to spark the necessary change.
What are the risks of an outdated protocol?
Today’s outdated protocol has left Wi-Fi users extremely susceptible to breaches. Hackers have demonstrated the ease with which they can breach a city’s public Wi-Fi, in addition to the Wi-Fi at hotels and convention centers. Moreover, some hackers have even managed to break into connected car systems to drain the car battery, set off the alarm or change user settings. For individuals, these types of hacks threaten to compromise sensitive information such as their social accounts and bank accounts, and make their IoT devices susceptible to botnets.
For businesses, the threat is perhaps even greater. The outdated WPA2 protocol poses the risk of exposing clients’ financial details or even preventing the authorization of transactions. A common example is the 2013 breach that exposed the data of 70 million Target customers. While it hasn’t been outright confirmed, their Wi-Fi network is the primary suspected cause of the breach. And despite the risk, many businesses don’t feel adequately prepared to handle such breaches. In fact, a recent survey found that nearly two-thirds of respondents were doubtful their businesses could defend against a mobile cyber attack.
More broadly, however, the weak WPA2 protocol carries a number of other risks. Among them, when the network is compromised, it enables anyone to disconnect users from the Wi-Fi network through deauthentication attacks. In effect, this could prevent users from completing important transactions by blocking them out of their networks.
Hackers may even be able to crack WPA2 passwords offline within just a few minutes by intercepting the handshake information as devices set up their connections with Wi-Fi base stations. And once connected to the network, hackers can sniff traffic from everyone in the same network.
What are the possible solutions?
As Wi-Fi Alliance suggested in its press release, the immediate measures that should be taken involve working with the current system and taking steps to avoid being hacked. This requires users to update their various devices regularly -- especially their phones, IoT devices, access points and routers. Additionally, users can take steps to enable WPA2 and disable other protocols like WEP or WPA, use longer and more complex Wi-Fi passwords and opt for 3G, 4G and LTE networks over public Wi-Fi.
Nevertheless, these measures are short-term fixes that don’t get at the heart of the problem. The better solution would be to develop a new Wi-Fisecurity protocol that addresses the various issues with the current WPA2.
Such a solution would require public networks to be more secure, instead of giving everyone on the network access to each user’s information. This would involve encrypting everything -- even the non-HTTPS connections. Currently, when accessing a non-secure website on Wi-Fi, everything that is posted or read is transparent to everyone on the network, allowing them to track all users’ behaviors. Fortunately, this type of encryption is already widely adopted and would be easy to implement for a new protocol.
Second, the new protocol would need to authenticate both users and machines. Under the current protocol, the primary focus is on authenticating machines once the device is connected to the access point. However, users and machines have different behaviors, and differentiating between a user and a machine at the router level would make it easier to track and analyze the actions of each.
Finally, a new protocol should be easily upgradable over-the-air so that when something like KRACK happens again, the issue could be remedied much faster. When the vulnerability was exposed back in October, a solution was released the following day, but some users couldn’t upgrade because their hardware/software vendor had not released a patch yet or they didn’t know how to install it. This remains a major problem under the current Wi-Fi protocol due to the sheer number of device manufacturers and specific compatibility requirements for each.
As the number of connected devices is expected to grow rapidly throughout the world in coming years, the need for a secure wireless protocol is of utmost importance. The WPA2 vulnerability exposed in October is a major reminder of the need to develop a new protocol that is adequately equipped to handle the rapid technological progress coming at us. KRACK was not the first security flaw revealed with the current system, and it will certainly not be the last.