WPA3 (WAN Show Comment)

[smnhdy]

Just checking out the WAN show this week, about how we should al move to WPA3 due to how easy WPA2 is to crack.

 

But one thing I was screaming out was that there is one (very common!) device out there which lots of us have which doesn’t support WPA3, which is the Nintendo Switch!

 

For me, it’s the only device now I own which doesn’t support WPA3, and short of putting it on its own SSID and VLAN, how are others handling this?

[Senzelian]

I'm on WPA2, cause I honestly don't care.

Only my 6Ghz network is on WPA3, because  Ubiquiti  WiFi 6e won't allow WPA2.

[Sauron]

25 minutes ago, smnhdy said:

short of putting it on its own SSID and VLAN, how are others handling this?

I assume most people are just not caring, and if you do care that is probably the only real way around it.

[Alex Atkin UK]

What method exactly?  As I know KRACK was supposed to be easy, but modern WPA2 Access Points have key-reinstallation mitigation built-in.  The real question is if the Switch is also patched against this, you'd certainly hope so.  But then even if not, I fail to see what use they would get at forcing a closed device like this onto a spoofed AP and having it patched on the router/AP should prevent spoofed clients from getting on your WiFi.

 

The bigger risk is on the 2.4Ghz band, where your IoT devices are typically located and wont necessarily be that secure to begin with.  So having 2.4Ghz on a private network not connected to your main LAN is recommended anyway, especially given its likely the only band someone will be able to pick up from the street where they could attempt such a hack.

[Lurick]

1 hour ago, Senzelian said:

I'm on WPA2, cause I honestly don't care.

Only my 6Ghz network is on WPA3, because Ubiquiti won't allow WPA2 on 6Ghz.

It's not Ubiquiti that won't allow it, it's per the 6E and 7 spec that 6GHz won't allow WPA2 and lower.

[Senzelian]

5 minutes ago, Lurick said:

It's not Ubiquiti that won't allow it, it's per the 6E and 7 spec that 6GHz won't allow WPA2 and lower.

True, thanks for correcting it.

[bcredeur97]

WPA3 in my experience causes weird bugs on some devices too. And when you encounter those, not really much you can do other than change/upgrade that device, or disable WPA3. 

Until that goes away, is it really worth deploying? 

[Agall]

3 hours ago, smnhdy said:

Just checking out the WAN show this week, about how we should al move to WPA3 due to how easy WPA2 is to crack.

 

But one thing I was screaming out was that there is one (very common!) device out there which lots of us have which doesn’t support WPA3, which is the Nintendo Switch!

 

For me, it’s the only device now I own which doesn’t support WPA3, and short of putting it on its own SSID and VLAN, how are others handling this?

Money.

 

You could always do 'hotspot' from your PC using your machine's WAP and local network to host your switch when in use if its your only device that doesn't support WPA3.

[Alex Atkin UK]

8 hours ago, bcredeur97 said:

WPA3 in my experience causes weird bugs on some devices too. And when you encounter those, not really much you can do other than change/upgrade that device, or disable WPA3. 

Until that goes away, is it really worth deploying? 

Anything specific?  Can't say I've noticed any problems though I only have it deployed on my WiFi 6 clients specifically.

[bcredeur97]

13 hours ago, Alex Atkin UK said:

Anything specific?  Can't say I've noticed any problems though I only have it deployed on my WiFi 6 clients specifically.

I have a lenovo laptop with a Realtek 8822CE that refuses to work with WPA 3. But that is Wireless-AC

Although, It also has issues sometimes with wifi in general, so I guess it's just not the best adapter. 

I have seen other issues in the past, but that's all I have that's specific for ya

[TetraSky]

Wait, you guys have devices that support WPA3 ?

Other than my phone, I literally have nothing like that... I guess I don't update my tech often enough. Even my router doesn't support it.

[HenrySalayne]

On 3/7/2024 at 2:18 PM, smnhdy said:

Just checking out the WAN show this week, about how we should al move to WPA3 due to how easy WPA2 is to crack.

Maybe I'm mistaken, but they were talking about how easy it is with modern hardware to brute-force WPA2.

The solution are long and complex passwords. The password can use up to 63 ASCII characters.

I think anyone using the full range of characters (including special characters) and at least 30 should be mostly safe for the foreseeable future.

[Donut417]

23 hours ago, TetraSky said:

Wait, you guys have devices that support WPA3 ?

Same thought. I dont think I have a single device that support WPA3, or if I do there are very few.

[LAwLz]

Stop listening to Linus for tech advice.

Not sure where he got the idea that WPA2 is easy to crack from. He is not right though if that's what he said in the video. 

WPA2 is, when configured properly, very secure. There are a few pitfalls you can fall into when configuring WPA2 but most vendors have good defaults so unless you deliberately start changing settings you don't know what they mean (like switching from CCMP to TKIP), you will be fine.

 

 

 

On 3/7/2024 at 2:49 PM, Alex Atkin UK said:

The bigger risk is on the 2.4Ghz band, where your IoT devices are typically located and wont necessarily be that secure to begin with.  So having 2.4Ghz on a private network not connected to your main LAN is recommended anyway, especially given its likely the only band someone will be able to pick up from the street where they could attempt such a hack.

Frequency has nothing to do with it. 2.4GHz, 5GHz and 6GHz are equally secure to each other. It's true that some IoT devices, which may be unsecure, might only support 2.4GHz, but it's not the network that's unsecure in those cases. Thinking that isolating the 2.4GHz clients from the 5GHz clients will increase security is completely wrong.

If you want to isolate your IoT devices then you isolate them based on the device type/purpose/security practice, not the frequency they use to connect. Especially since plenty of IoT devices, such as the Raspberry Pi, do support 5Ghz these days.

 

 

8 hours ago, Donut417 said:

Same thought. I dont think I have a single device that support WPA3, or if I do there are very few.

You probably have quite a few devices that support it.

All your up-to-date Windows machines support it. Your Android devices running Android 10 or higher support it. 

Your iOS devices running iOS 13 or later also support it.

(There may or may not be some old hardware that has trouble with WPA3, but in theory, it does not require any new hardware. All WPA2 hardware should be able to support WPA3. In most cases, you should only have to update the software like your OS and it should work).

[Donut417]

28 minutes ago, LAwLz said:

All WPA2 hardware should be able to support WPA3. In most cases, you should only have to update the software like your OS and it should work).

Good to know. I think my dads Chromebook is unsupported, so that might not have been updated.

[Alex Atkin UK]

4 hours ago, LAwLz said:

Frequency has nothing to do with it. 2.4GHz, 5GHz and 6GHz

I never said 2.4Ghz was less secure, I said its more vulnerable to attack because it reaches far outside your own walls whereas 5Ghz will only go through a wall or two before becoming unusable (I lose 5Ghz signal the end of my path) and 6Ghz you're lucky to get through one wall.  So the potential for attack on 5/6Ghz is very slim unless its your neighbours.

 

Isolating 2.4Ghz from your network is due to the fact IoT devices may also have their security issues, combined with the range. So if that network is compromised either from an IoT device or someone cracking it from their car on the street, its less damaging if its isolated.

[LAwLz]

9 hours ago, Alex Atkin UK said:

I never said 2.4Ghz was less secure, I said its more vulnerable to attack because it reaches far outside your own walls whereas 5Ghz will only go through a wall or two before becoming unusable (I lose 5Ghz signal the end of my path) and 6Ghz you're lucky to get through one wall.  So the potential for attack on 5/6Ghz is very slim unless its your neighbours.

The security of your Wi-Fi shouldn't be based on range though, and you could always turn down the 2.4Ghz antenna if you wanted less range. 

What you're advocating is basically security through obscurity, and that's not real security. 

 

9 hours ago, Alex Atkin UK said:

Isolating 2.4Ghz from your network is due to the fact IoT devices may also have their security issues, combined with the range. So if that network is compromised either from an IoT device or someone cracking it from their car on the street, its less damaging if its isolated.

But that's the wrong way to think, because you shouldn't isolate clients based on frequency. You isolate them based on function. 

 

 

Honestly, you're thinking about this all wrong. Frequency has absolutely nothing to do with security. 

If you want to isolate your IoT devices then that's fine, in fact it's probably good to do that. But you should isolate them based on the fact that they are IoT devices, not because they connect to 2.4GHz. You could have a 5GHz IoT network if you wanted as well. 

 

What you should be doing, assuming your network devices support it, is this:

Make a separate SSID based on function/purpose. If you want an IoT network then make that. 

Then map that to a specific VLAN.

It shouldn't be based on frequency. You can have that SSID be transmitted on any frequency you want, 2.4Ghz, 5Ghz or even 6Ghz.

The benefit of doing things this way is that you can have the same network be available on wired connections (just have that VLAN be available on the switch), you can have a 5GHz capable IoT device connect to the network too if that's the better option. You can even have your IoT devices automatically decide if they should connect to 2.4GHz or 5GHz based on load or interference. It will also result in less management overhead because you no longer need to create duplicate configs whenever you want one network on multiple bands. 

 

Are you worried that someone on the street will sit there and try and hack your network because it's sending out at 2.4GHz? Lower your transmission power and make sure your network and devices have decent security implemented on them. Since the actual security mechanisms don't differ from 2.4GHz, 5GHz and 6Ghz, your networks should be equally secure to one another. If you're worried about someone attacking your 2.4GHz network then you should be equally worried about the 5GHz network since that should be using the same security practices. It's not like the key exchange or encryption algorithm differs between the two, unless you deliberately made the SSID you mapped to 2.4GHz worse. 

 

 

The idea that you have a 2.4Ghz network that transmits on 2.4Ghz and one 5Ghz network that transmits on 5Ghz is something you probably picked up from using a bunch of consumer grade all-in-one routers, and those typically bridge to each other on those devices anyway, so it's not like it's a security thing.

The frequencies you transmit on should just be a parameter you apply to an SSID. It shouldn't be seen as a separate network. 

[Quackers101]

maybe get a smoother transition, wasn't there some issues with its compatibility stuff?

the starting risk and mixing wpa 2 and 3.

[LAwLz]

3 hours ago, Quackers101 said:

maybe get a smoother transition, wasn't there some issues with its compatibility stuff?

the starting risk and mixing wpa 2 and 3.

WPA3 includes a transitional mode. 

It allows a PWA3 enabled network to also accept connections from a WPA2 device. It let's devices that support WPA3 connect with that and the benefits, but let older devices connect to the same network and use WPA2. 

 

The drawback of having that instead of pure PWA3 is that there is a potential risk of having someone downgrade your connection to WPA2 even though your device supports PWA3. 

[Alex Atkin UK]

4 hours ago, LAwLz said:

Make a separate SSID based on function/purpose. If you want an IoT network then make that. 

Then map that to a specific VLAN.

Technically yes, and I do, you seem to be misunderstanding that I was generalising that as the potentially least secure  IoT devices tend to only support 2.4Ghz, then assuming the 2.4Ghz band is tainted and keeping it isolated can be a good idea.

 

People generally wont want to reduce the 2.4Ghz range because that's its entire benefit outside of devices that only support it.  I have little concern personally as I have two APs, one WiFi 6 using WPA3 only, and WiFi 5 using WPA2.  So I reduce the range of the latter only.

[LAwLz]

4 hours ago, Alex Atkin UK said:

Technically yes, and I do, you seem to be misunderstanding that I was generalising that as the potentially least secure  IoT devices tend to only support 2.4Ghz, then assuming the 2.4Ghz band is tainted and keeping it isolated can be a good idea.

Except that's not what you should be doing... Because you shouldn't assume a piece of the spectrum is "tainted". You should assume a network, which is independent of what frequency you transmit it on, is "tainted". Just because a device on let's say the SSID "IoT" is vulnerable does not mean the SSID "Office" is vulnerable because it is broadcasted on the same frequency. A vulnerable device might compromise the network itself, but that does not inherently extend across all devices sharing the same spectrum. Spectrum has nothing to do with it. In most networks, a compromised host on the 2.4GHz spectrum might extend to the 5GHz spectrum as well because they are probably the same network. Having separate 2.4GHz networks and 5Ghz networks, with a firewall between them, is a very strange and uncommon setup (because it is a poor, inflexible design that doesn't offer any benefits).

 

The reason I keep pushing on this is that it seems like you think, or at least people reading your post might think, that 2.4GHz is its own "network", which it isn't. What you say makes as little sense as saying "Cat 5e is tainted, so you should keep that on a separate network" or "100Mbps Ethernet is not secure, so you should keep that on a separate network".

The big issue I have with what you are saying, is that it you are partially right for the wrong reasons, and as a result, you might mislead people into assuming "devices that are on 5GHz = more secure", which is not true. 

 

The frequency has absolutely nothing, none at all, zero, with how secure something is, and a single network can be (and usually is) available on multiple frequencies just like a device with a Cat 5e cable might be connected to the same network as a device with a Cat 6 cable. 

I don't even agree with the premise you built this entire argument on, the idea that unsecure IoT devices only support 2.4GHz. I have given you an example of possibly the most popular IoT device and it supports 5GHz. So your argument falls apart even on that front.

 

The part about you having two access points and broadcast two separate networks from each is also a red flag in my mind, but I won't go into that now.

 

I just want to leave the discussion by saying group and isolate devices based on purpose and "security rating", not "frequency they support". It makes no sense to do that. If you want to make an "IoT" network, you can do that. It might be a very good idea to isolate those devices since they tend to be less than steller security wise. But it is totally fine (and probably a good idea) to have that network be available on both 2.4GHz and 5Ghz. Likewise, your "secure WiFi" should probably be available on both 2.4GHz and 5Ghz as well. It's the SSID that determines the perimeters of the network, not the frequency. You should absolutely not assume that 5GHz devices are secure and 2.4GHz devices are not secure either. Both can be either good or bad security-wise. Isolate your devices based on potential security risks, not hardware capabilities. 

[Alex Atkin UK]

6 hours ago, LAwLz said:

The reason I keep pushing on this is that it seems like you think, or at least people reading your post might think, that 2.4GHz is its own "network", which it isn't.

Okay fair point, I should have been more explicit in saying that "putting IoT devices on their own SSID assigned as a different network to your main LAN via a guest network with client isolation / VLAN". 

 

Of course the problem is I don't think consumer routers typically let you make different SSIDs their own LAN, client isolation often merely isolates WiFi clients from each other, while allowing them full access to the LAN itself.  Then once you start getting into VLANs, that's a lot for most people to get their heads around.

 

I was trying to keep it simple rather than go into extensive details of specifics, perhaps a little too simple.

 

6 hours ago, LAwLz said:

The part about you having two access points and broadcast two separate networks from each is also a red flag in my mind, but I won't go into that now.

Your mind has no idea about my reasoning or environment.  Its plain fact that using different channels dedicated to different classes of devices avoids the slowdown issues of the AP having to constantly switch speeds.  Its also a small enough house that I don't need a mesh network, one AP all devices are in the same room so get full link rate, the other AP covers devices further away or that it doesn't matter if said devices further away slows it down.  There is a usable signal from both across the entire house so there is no drawback to having different SSIDs on different devices.

 

I certainly wouldn't recommend it in an apartment but I'm in a house with thick walls surrounded by trees, so I only get crosstalk from the direct neighbours attached on one side and nobody in range is using DFS channels so I have the whole of Band B to play with on 5GHz.  Before doing this I would rarely get close to Gigabit on WiFi 6, since doing it its not guaranteed but far more consistent.

 

I never set out to do this but I was curious how much difference having only WiFi 6 clients on the WiFi 6 AP would make.  Plus Zyxel suck and don't tell you the link rate over SNMP, so being able to re-use my nanoHD with OpenWRT on it allowed better monitoring of the clients on that AP.

[GoStormPlays]

I don't know whether my network is on WPA2 or 3, but honestly I'm not even concerned about it. Even in the extremely slim chance a van fitted out with this expensive network cracking stuff just happens to drive by my house and use it specifically on my house, I try to keep everyone in my family from keeping files that could be harmful when in the wrong hands from being on our devices. Even if you got something like account passwords, everything is outfitted with 2FA and the like. 

[Erioch]

My ghetto router (used as an AP) doesn't even support WPA3.  I'm not even mad.

 

^{_{...maybe a little...}}

[LAwLz]

On 3/11/2024 at 4:46 AM, Alex Atkin UK said:

Okay fair point, I should have been more explicit in saying that "putting IoT devices on their own SSID assigned as a different network to your main LAN via a guest network with client isolation / VLAN". 

 

Of course the problem is I don't think consumer routers typically let you make different SSIDs their own LAN, client isolation often merely isolates WiFi clients from each other, while allowing them full access to the LAN itself.  Then once you start getting into VLANs, that's a lot for most people to get their heads around.

 

I was trying to keep it simple rather than go into extensive details of specifics, perhaps a little too simple.

Except you weren't keeping it simple because what you said was just straight up wrong.

As I have said time and time again, the frequency does not matter at all. The 2.4GHz and 5Ghz networks that are usually sent out by typical consumer routers? They have full access to each other. Putting IoT devices on the 2.4GHz network and other devices on the 5GHz network does not provide any additional security, at all, because they are the same network. 

 

 

 

On 3/11/2024 at 4:46 AM, Alex Atkin UK said:

Your mind has no idea about my reasoning or environment. 

Judging by your comments in this thread I suspect your reasoning is wrong, and now you're giving advice to others that at best gives them a false sense of security while actually providing zero security benefits. At worst you might be doing that on top of making their network less functional and more limited.

 

 

On 3/11/2024 at 4:46 AM, Alex Atkin UK said:

Its plain fact that using different channels dedicated to different classes of devices avoids the slowdown issues of the AP having to constantly switch speeds.

Excuse me but... What are you on about?

You are wording things very weirdly, but I assume you are talking about how having a let's say a 802.11g device on a network capable of 802.11n will slow things down for all the wireless-N devices. Is that what you are talking about? Because that is completely unrelated to everything you have said so far. That has nothing to do with security, it has nothing to do with frequency, and it is not a reason for segmenting IoT devices into 2.4GHz and other devices into 5GHz. What you are talking about is simply not related to frequency.

 

It's also not because the AP has to "constantly switch speeds" that it slows things down... The switching of "speed" (as in, the protocol used) is instantaneous. The reason why older devices might slow down speeds for newer devices is because they require more airtime to transmit the same amount of data. Since Wi-Fi is a shared medium, everyone has to wait for the transmission to be over. The slower the device is, the longer time the others have to wait (or rather, the more time slots it will be allocated to send the same amount of data as a faster device).

Beacon frames are also sent at the lowest mandatory data rate so that also slows things down since they use up airtime too.

 

But again, that has nothing to do with the frequency it operates on. It is not a reason to keep IoT devices on a 2.4GHz network and other devices on a 5Ghz network. It might be a reason why you would like to put them on different SSIDs, but that is unrelated to frequency as I have said time and time again.