In mid-2020, Mark Grayson, Andrew Myles and I published a White Paper (shameless self-plug!) that examined and compared the security features of Wi-Fi 6 and 5G. We concluded that both WI-Fi 6 and 5G provide the features necessary to serve as the basis of secure wireless communications, together and separately, well into the next decade. Our conclusion stands today!
A key theme of the White Paper was that the security features specified for use in both Wi-Fi/IEEE 802.11 and cellular/3GPP networks have successfully evolved over many years to meet the challenges of changing requirements and emerging threats. This journey has included the occasional misstep. WEP was Wi-Fi’s original reaction to not having security, however it was also plagued with its own security challenges. The Wi-Fi industry quickly recovered with WPA as an interim solution and then WPA2 as an effective upgrade that met users’ security needs for many years. WPA2 has recently evolved into WPA3, which is now mandatory as part of any new Wi-Fi Alliance certification. Vulnerabilities, often in implementations rather than the specifications, have also occasionally been discovered along the way, but the Wi-Fi industry has always resolved them quickly and effectively, often assisted by the leadership of the Wi-Fi Alliance. Somewhat less positively, the Wi-Fi industry has sometimes taken far too long to phase out the use of old and outdated security technologies, with TKIP (used in WPA) a prominent past example.
Wi-Fi Protected Setup (also known as WPS) is another example of a security feature that was designed with good intentions at heart, then stagnating over time, ending in a missed opportunity for improvement by the Wi-Fi industry. The original intent of WPS was to make it easy for less knowledgeable users to set up a “secure” Wi-Fi network, without having to deal with complex menus and configurations that often require using lingo even many who work in the Wi-Fi industry struggle to understand. This is the classic trade-off between security and user experience. The Wi-Fi Alliance promoted WPS, as recently as 2020, as being a trade-off particularly suitable for the home and small office segments. WPS is easy to use! However, WPS security vulnerabilities have been well known for many years, both in its PIN mode of operation and its push button mode of operation. A quick search of the web will find plenty of credible sources advising against its use.
While WPS is promoted for the home and small office segments, the impact and importance of the WPS vulnerabilities are independent of these use cases. There is no warning that states “WPS is ok for your home, just don’t use this in the enterprise” and there is no mechanism that blocks its use in environments when security is important. Some argue this is acceptable because WPS avoids the customer satisfaction issues/help desk calls that often arise from users misconfiguring security in a home or small office Wi-Fi network. However, the reality is that WPS is not “best in class” security. Industry created WPS because they believed the end users/consumers were not savvy enough to configure security on their home or small office network – how can they expect those same users to understand the risks that arise from enabling WPS?
WPS, in many respects, represents another example of the Wi-Fi industry being too slow to phase out the use of old and outdated security technologies. Its vulnerabilities should have been addressed by the Wi-Fi industry immediately, either by fixing WPS or by putting a plan in place to phase WPS out for a new and better solution. Unfortunately, the Wi-Fi industry has adopted neither option since the first WPS products were certified by the Wi-Fi Alliance in 2006 – fifteen years ago!
The Wi-Fi industry is now on the verge of taking a backward leap. There are apparently plans to introduce Miracast products using WPS in the greenfield, 6 GHz band. For those unfamiliar with Miracast, it is the Wi-Fi Alliance certification that “enables seamless display of multimedia content between Miracast devices.” Miracast generally requires the use of WPS; therefore, the latest generation of Wi-Fi in 6 GHz (Wi-Fi 6E) will continue using a known outdated and vulnerable security protocol for some use cases. Deployment of Miracast in the 6 GHz band will enable and encourage the further proliferation of WPS, under the cover of Miracast, into a band that has been rightly earmarked by most in the Wi-Fi industry for only “state of the art” security mechanisms (including WPA3), even for home and small office users. Potentially making this even worse, given Miracast targets at least some use cases in enterprise and industrial environments, the expansion into the 6 GHz band will encourage the use of WPS, behind the scenes, in segments that deserve the best possible security.
In a time of increasing competition with 5G technologies, it is vital that the Wi-Fi industry maintains its twenty-year tradition of continuously improving Wi-Fi security. WPA3 and the new, greenfield 6 GHz band provides opportunities for embedding “best in class” security in Wi-Fi networks for years to come, with no compromise. The Wi-Fi industry should embrace these opportunities rather than leaping backwards. In the context of WPS, this means the Wi-Fi industry must:
- Resolve to isolate the 6 GHz band from the security missteps of the past, particularly the WPS misstep
- Start a process of discouraging the use of WPS in the 2.4 GHz and 5 GHz bands, particularly in use cases where excellent security matters, ultimately deprecating its use completely
- Accelerate development and adoption of alternatives to WPS as soon as possible to assist users to easily connect to Wi-Fi in a secure manner in the 2.4 GHz, 5 GHz and 6 GHz bands, particularly when using important and valuable features like Miracast.
In the meantime, in the spirit of truth in advertising, maybe it is time to rename Wi-Fi Protected Setup as Wi-Fi (un)Protected Setup!
Check out our Cisco Networking video channel