Wi-Fi 7 and Security: What You Need to Know

This blog focuses on how Wi-Fi 7 helps to drive improved wireless security, specifically talking about how some of the new features and capabilities, such as required use of WPA3 in 6Ghz and MLO capabilities for passphrases/validation.

Author

Wi-Fi Security with Different WPA Types

While not directly addressed in the Wi-Fi 7 standard, security is always something that people should be thinking about when it comes to any new standard, especially Wi-Fi. Operating in an unlicensed spectrum with a Common Air Interface (CAI) that is published for the world to conform to, opens up many opportunities for attackers to find vulnerabilities, like KrACK and FragAttacks. In today's world, it is almost a requirement for people to have a better understanding of how their data packets are secured when being sent over Wi-Fi in an effort to prevent hackers from gaining access to personal data like your mortgage loan, bank accounts, and other Personally Identifiable Information, or PII.

Simply changing your default router password, while still a requirement, isn't the only thing that users need to be aware of.

While there isn’t anything focused on Wi-Fi security in Wi-Fi 7, there is an artifact that stems from Multi-Link Operation that will have some impact on how devices and APs secure the wireless connection. But first, let’s cover some basics.

WPA2 Data Encryption Security

WPA2™ was introduced in 2004 with 802.11i as a "permanent" replacement for the WPA™ standard (Wi-Fi Protected Access®) that was released as a stop-gap measure when WEP was cracked in 2003. Except for the new 6 GHz band, all the 802.11 PHY amendments (802.11a/b/g/n/ac/ax/be) have been backward compatible with previous generations. That means that your iPhone 4 that you refuse to give up can still connect to a brand-new Wi-Fi 7 AP. It probably isn’t going to work great (for a lot of other reasons) but it will still work. Just because we have WPA3™, unless the networks are configured to specifically ignore anything other than WPA3™, it can still work.

Even your laptop from 2001 running 802.11b and WEP will still be able to see an 802.11be network on 2.4 GHz, it just won’t be able to connect unless the administrators enabled WEP on the SSID. But the bigger picture is WPA2 isn’t deprecated just because we have WPA3. 6 GHz operation has a provision to only support WPA3, but that is a requirement of the spectrum, not of any specific Wi-Fi generation.

WPA3 Data Encryption Security

After 14 years of service in the technology world (a lifetime, really) WPA3 was introduced in 2018 to bring about some much-needed improvements to how wireless security is implemented. While that is too much to get into in this blog, in short, it really helps with preventing attackers from brute force attacking an encryption handshake after the fact, commonly referred to as an offline dictionary attack.

WPA3 has the same two options as WPA2, with the same two methods but with a slightly different name. WPA2-Personal, oftentimes referred to as a Pre-Shared Key (PSK) network, has been replaced with WPA3-SAE, or Simultaneous Authentication of Equals. While the end user won't notice any difference (they still enter a passphrase on their device to secure their Wi-Fi Connections) there are some big changes on the backend that fix some security issues with WPA2-Personal that we won't get into here (although you can read more about it in our Wireless Security with Passphrases blog).

WPA3-Enterprise is very similar to WPA2-Enterprise, the type of security seen on most enterprise networks today. There are still multiple EAP types (Extensible Authentication Protocol) with Transport Layer Security (or EAP-TLS) being the preferred method. WPA3-Enterprise adds additional, mandatory increases in cryptographic strength as well as mandating 802.11w (Protected Management Frames) for the standard, whereas the previous specifications had 802.11w as optional.

Networks can be configured with what is known as a “transitional security posture” that will accept both WPA2 and WPA3 devices on the same SSID (this would be a 5 GHz SSID since WPA2 isn’t allowed to be configured in 6 GHz) to preserve backward compatibility for older devices; but as with everything, there is a risk with this. While newer devices are backward compatible with older standards, older devices might see the transitional flags in the new SSID and not know how to deal with that, and simply fail to connect.

This means that while we would like to be able to offer a very simple and straightforward service to all client devices, those days might be limited. A workaround would be to make band and security-specific SSIDs to spread out the load and security stance of the network.

Does the introduction of WPA3 mean WPA2 is now just as bad as WEP (for internet use, passwords, etc.)?

On the contrary! WEP (Wired Equivalent Privacy) was truly broken when WPA was announced, while WPA3 is an upgrade of WPA2. WPA2, configured properly, is susceptible to offline dictionary attacks, but the time needed to crack that password is measured in decades, not hours.

Configured properly means using a passphrase that is at least 16 characters, not shared with anyone else, and using Advanced Encryption Standard (AES) encryption. WPA2-Enterprise is close enough to WPA3-Enterprise that simply being able to enable 802.11w gets you pretty close to WPA3-Enterprise for "most" instances. WPA3 is still where we want to get to, but WPA2, with a few extra precautions thrown in, is still a respectable method to secure your wireless networks.

Using WPA3 in 6 GHz as a design guide

Thanks to a myriad of variables that we see when examining the client devices that use Wi-Fi networks of today (Android vs. iOS, old vs. new, mobile vs. fixed devices) many people see the requirement of using WPA3 in either mode (Enterprise using Extensible Authentication Protocol or EAP, and SAE, Simultaneous Authentication of Equals) or OWE as a hindrance to this new spectrum, but there is another way of thinking about this. Instead of trying to work around these new security protocols, we should really be embracing them.

Band specific Wi-Fi Design Chart, RUCKUS Wi-Fi 7

For devices we care about (and are new), we would assign them a 6 GHz SSID with WPA3. Devices like BYOD or other devices we might not be as concerned about will stay at 5 GHz with WPA2 Personal (PSK or DPSK); we could add a second SSID for WPA3-Enterprise for those devices we really care about but aren’t new enough for the new 6Ghz band. Finally, this leaves 2.4 GHz for IoT and other devices that are categorized as “Best Effort” with no requirements or expectations of flawless service. Incidentally, by separating out devices this way, we are categorizing devices and securing them with the “best” security available for each, which, if you reference one of our previous blogs, is a best practice. For even more best practices on separating out IoT devices, make sure to check out our IoT Device Security blog, too.

Multi-Link Operations and Security

As promised, there is a security angle to this new Wi-Fi 7 feature. Multi-Link Operation (MLO, you can read more about that on our previous Wi-Fi 7, MLO blog) is the idea that multiple radios inside a device will be talking to another device at the same time, but across different radio bands. In order to make this work, there was a problem with identity that needed to be solved, and it was about making sure that the Layer 2 frames from the same device would have the same MAC address so the receiving end could confirm that the received frames were from the same device, and not mix up frames from different devices.

What does Wi-Fi 7 and MLO have to do with security?

With MLO, there is an introduction of a “higher level” MAC Address across the three radios in a Wi-Fi 7 device. This single, high-level MAC address is used for the encryption keys; instead of three keys being used(one key for each of the possible radio bands being used), the devices only need to build one set of keys. Known as a MAC-SAP endpoint or MLD (Multi-Link Device) address, this address lives above the actual radio transceiver.

Wi-Fi 7 MLO showing MAC-SAP Endpoint

This single key means that as the client device switches bands during MLO link selection, a new encryption key doesn’t need to be created. With the lower latency requirements of VR/AR/esports, any microsecond saved on the RF side of the transmission is critical to achieving the latency numbers these applications are aiming for.

While not a groundbreaking development in the world of security, MLO does point to some future developments that could impact how networks and client devices see each other across all wireless communications. Sharing a single MAC address for every wireless connection has some advantages when we start to consider converged radio access between Wi-Fi and cellular and how a device could switch between the two, depending on a myriad of factors.

There isn’t anything on the horizon now for any development like that, but, much like how MLO is allowing devices to select the best operating channel at the moment of transmission, it hints that our client devices are starting to work better with our wireless infrastructures, and only good things can come from that.

What about RUCKUS Networks?

You can find out more about Wi-Fi 7 by visiting the Wi-Fi 7 web page on the RUCKUS Networks website. This page will be a go-to resource for anyone wanting to keep up-to-date on Wi-Fi 7 as we get closer to the amendment ratification by the IEEE and the Wi-Fi 7 certification announcement from the Wi-Fi Alliance. To continue reading the rest of this blog series, check back on the Wi-Fi 7 page for future links or our blog section.

Readers can also learn more about RUCKUS Networks products and solutions by visiting these websites: RUCKUS Networks Products and RUCKUS Networks Solutions. To learn more about how RUCKUS can help your organization with the latest evolution in networking technology, send us a note and a specialist can reach out to help you, with Wi-Fi 7 or any RUCKUS Networks products.