logo
0 Shopping Cart 0 Item(s)-R0.00

No products in the cart.

Wi-Fi Security Protocols: Explained

Wi-Fi Security Protocols: Explained

Posted on By

Wi-Fi Security Protocols: Explained

Wi-Fi has become the backbone of modern industrial and IoT networks, but its convenience comes with security challenges. Protecting wireless data from eavesdropping and unauthorized access is critical, especially in enterprise and industrial environments where sensitive data or control systems are at stake. Over the years, Wi-Fi security protocols have evolved through several generations – each building on lessons from the previous to provide stronger encryption and authentication. Understanding these protocols (and their vulnerabilities) is essential for wireless engineers to deploy robust, secure Wi-Fi networks.

To put things in perspective, here are the four main generations of Wi-Fi security protocols and what they introduced:

  • WEP (1997) – Wired Equivalent Privacy, the first Wi-Fi security standard. It used the RC4 stream cipher with a static key, which proved easy to crack due to fundamental flaws . WEP is now obsolete.
  • WPA (2003) – Wi-Fi Protected Access, a stopgap upgrade to WEP. WPA introduced the TKIP mechanism for per-packet keying and message integrity, improving security but still relying on RC4 encryption . It supported personal (PSK) and enterprise (802.1X) modes.
  • WPA2 (2004) – The long-term replacement standardized as 802.11i. WPA2 uses AES encryption with CCMP for much stronger security . It became the industry standard for many years, supporting both PSK and 802.1X authentication. WPA2 is highly secure but not infallible (e.g. the KRACK vulnerability emerged later) .
  • WPA3 (2018) – The latest Wi-Fi security standard, building on WPA2 with new features. WPA3 adds stronger encryption options, a new SAE handshake to block offline attacks, required management frame protection, and easier secure onboarding for IoT devices . It comes in Personal, Enterprise, and Enhanced Open variants.

Legacy Wi-Fi Security Protocols: WEP and WPA

WEP – The Original (Insecure) Standard

Wired Equivalent Privacy (WEP) was introduced in 1997 as the original 802.11 security mechanism, attempting to provide confidentiality comparable to wired networks . WEP uses the RC4 stream cipher for encryption and a 24-bit Initialization Vector (IV) combined with a pre-shared key. Unfortunately, WEP’s design had serious weaknesses. The IV is too short and is sent in plaintext, leading to frequent IV reuse and exposing patterns that allow attackers to derive the key . Additionally, WEP’s integrity check (CRC-32) is not cryptographically secure, so attackers could tamper with packets and forge the checksum . Within a few years, researchers demonstrated that WEP could be cracked in a matter of hours or even minutes with tools like AirSnort, by collecting enough packets to brute-force the keystream . High-profile breaches underscored its insecurity (for example, the 2007 TJ Maxx breach was traced to WEP weaknesses). WEP was formally deprecated in 2003, and it’s no longer considered secure for any use. In fact, the Payment Card Industry (PCI) standards forbade its use for credit card data after those flaws became evident . Today, if any legacy or embedded device still only supports WEP, it should be upgraded or isolated – WEP is effectively broken as a security mechanism.

WPA – A Stopgap Improvement

Wi-Fi Protected Access (WPA) was rushed out in 2003 as a interim replacement for WEP’s failures. The Wi-Fi Alliance needed something quickly deployable via firmware updates on WEP-era hardware . To enable this backward compatibility, WPA still relied on the RC4 cipher, but it introduced TKIP (Temporal Key Integrity Protocol) to strengthen encryption. TKIP dynamically generates new per-packet keys by mixing the shared base key with the device’s MAC address and a packet sequence number, dramatically improving on WEP’s static key approach . WPA also added a 64-bit message integrity code (MIC) (often called “Michael”) to each packet to detect tampering, replacing WEP’s weak CRC check . Importantly, WPA defined two usage modes: WPA-Personal (pre-shared key) for home/SMB use, and WPA-Enterprise (802.1X authentication with a RADIUS server) for enterprise networks .

WPA markedly improved security over WEP – a key could no longer be recovered simply by sniffing enough traffic. However, because it was constrained to RC4, it was not as strong as it could have been. Over time, cryptographers found that WPA’s TKIP itself had vulnerabilities. By 2008-2009, researchers demonstrated attacks that could, in limited cases, decrypt packets or inject spoofed data by exploiting weaknesses in TKIP’s MIC and key derivation process . While these attacks were not as devastating as WEP’s complete crack, they showed WPA with TKIP was not fully secure against determined attackers. TKIP was officially deprecated in 2012 . Today, WPA (TKIP) is considered a legacy protocol; modern networks should avoid TKIP and use more secure alternatives. In practice, WPA was a bridge to get us to the next generation – and that next generation arrived just a year later with WPA2.

WPA2: The Longtime Security Standard

By 2004, the IEEE had finished a comprehensive overhaul of Wi-Fi security (the 802.11i amendment). The result, adopted as WPA2, was a huge leap forward. WPA2 replaced the flawed RC4/TKIP encryption with the Advanced Encryption Standard (AES) cipher, paired with CCMP (Counter Mode with CBC-MAC Protocol) for robust encryption and integrity protection . AES-CCMP uses 128-bit keys and is vastly stronger and more secure than the RC4/TKIP scheme in WPA. This made WPA2 extremely effective at protecting data confidentiality and integrity on wireless networks. WPA2 retained support for both Personal (PSK) mode and Enterprise (802.1X) mode like WPA did . Notably, WPA2 was designed without having to accommodate old WEP hardware, so it could implement security right, from the ground up, rather than making compromises for backward compatibility .

Under WPA2, when a client joins the network, a cryptographic 4-way handshake is used to establish a unique session key between that client and the access point . Each session gets its own encryption keys derived from the master secret (PSK or 802.1X credentials), providing both forward secrecy for that session and preventing other clients from decrypting each other’s traffic . This was a major improvement – it meant that even if one user’s passphrase was somehow known, an eavesdropper still couldn’t decrypt traffic between a different user and the AP.

For over a decade, WPA2 was the gold standard for Wi-Fi security. It is still widely used today (as of 2025) and considered secure when properly implemented. However, WPA2 has not been without issues. Perhaps the most infamous vulnerability was the 2017 KRACK (Key Reinstallation Attack). KRACK exploited a flaw in the WPA2 handshake implementation – by manipulating handshake messages, an attacker could trick a device into reinstalling an already-used key, resetting packet counters and enabling decryption of traffic . Importantly, this attack was not due to a weak cipher but a protocol logic issue, and it affected essentially all correct implementations of WPA2 . Fortunately, KRACK can be mitigated with software patches (and these were quickly rolled out by vendors once the attack became known) . Another limitation of WPA2-Personal is its vulnerability to offline dictionary attacks if users choose a weak passphrase. An attacker can capture the WPA2 handshake and then attempt billions of possible passwords offline until the right one is found . This is why WPA2-PSK networks absolutely require strong, random passwords (or else risk being cracked by anyone with a beefy GPU and some time). WPA2 lacks forward secrecy beyond the session level – the shared PSK remains the same unless changed, so if an attacker somehow obtains the PSK, they could decrypt past and future traffic captured from that network (until the key is changed).

Despite these concerns, WPA2 with AES-CCMP is still considered secure for most purposes, and it protected Wi-Fi networks successfully for many years. But the discovery of new attack techniques (like KRACK) and the ever-increasing computational power available to attackers prompted the industry to develop the next evolution: WPA3.

WPA3: The Next Generation of Wi-Fi Security

First announced in 2018, WPA3 is the latest Wi-Fi Alliance security certification, designed to address WPA2’s weaknesses and to secure wireless networks against modern threats. WPA3 comes in similar flavors – Personal and Enterprise – and also introduces features for open networks and IoT onboarding. Here’s how WPA3 improves upon its predecessor:

WPA3-Personal – SAE Defends Against Password Cracking

In WPA3-Personal, the familiar PSK-based authentication is replaced by a more secure handshake known as SAE (Simultaneous Authentication of Equals). SAE is essentially a variant of the Dragonfly key exchange. For the user, it works similarly (you still enter a Wi-Fi password/passphrase to join), but behind the scenes the security is much stronger. Unlike the WPA2 4-way handshake (which an attacker could capture and brute-force offline), SAE prevents offline dictionary attacks. Each time a client tries to authenticate, SAE performs an exchange that ensures the passphrase is never transmitted or derived in a form that an eavesdropper can reuse . It also limits authentication attempts – an attacker can’t just passively capture one exchange and then test millions of guesses; they would need to actively interact and guess one password at a time, which will be obvious and quickly halted . In short, WPA3-Personal effectively locks out the Wi-Fi password cracking tools that made WPA/WPA2 vulnerable when weak passwords were used. Another benefit is that WPA3 mandates the use of Protected Management Frames (PMF) for all connections . In WPA2, PMF was optional (and often disabled), which left networks open to deauthentication and disassociation attacks (where an attacker can spoof management frames to kick users off the network). Under WPA3, PMF is always on, adding an extra layer of resilience against certain denialof-service or man-in-the-middle tactics.

WPA3-Enterprise – Stronger Encryption and Robust Authentication

WPA3-Enterprise continues to use 802.1X with an external authentication server (e.g. RADIUS), just like WPA2-Enterprise, but it introduces some enhancements for high-security environments. First, WPA3- Enterprise supports an optional 192-bit cryptographic suite (sometimes called WPA3-Enterprise 192-bit mode or the CNSA suite) for organizations that require “top secret” level security . This mode aligns with the U.S. National Security Agency’s Commercial National Security Algorithm (CNSA) requirements and uses AES-256 in GCM mode and SHA-384, providing a consistently higher security level for government, defense, and industrial networks . Even in standard mode, WPA3-Enterprise still uses AES-128 but benefits from the protocol improvements (like mandatory PMF and tighter negotiation rules).

Another significant change is that WPA3-Enterprise requires servers to present valid certificates and clients to validate them during the 802.1X/EAP authentication process . In the past, under WPA2-Enterprise, some organizations would skip validating the RADIUS server’s certificate (or users would click “ignore” on certificate warnings), which opened the door to “evil twin” attacks – attackers could set up a rogue AP impersonating the legitimate network and trick users into connecting and divulging their credentials. WPA3 addresses this by making server certificate validation mandatory, thus closing that loophole and preventing unsafe configuration . Beyond that, WPA3-Enterprise keeps using proven EAP methods (with a strong preference for certificate-based EAP-TLS for the highest security) and is backward-compatible with WPA2- Enterprise if needed. The bottom line: properly configured WPA2-Enterprise was already very secure, but WPA3-Enterprise adds icing on the cake with higher encryption options and stricter requirements to eliminate misconfigurations.

Wi-Fi Enhanced Open – Encrypting Open Networks

One of the notable “bonus” features rolled out alongside WPA3 is Wi-Fi Enhanced Open, which uses OWE (Opportunistic Wireless Encryption) to improve security on open Wi-Fi networks. Traditionally, “open” Wi-Fi (no password) provides no encryption at all – any data you send can be sniffed by anyone nearby. OWE fixes that. With Enhanced Open, when a client connects to an open SSID, it automatically goes through a Diffie-Hellman key exchange with the AP to establish a unique encryption key for that session . No password or user interaction is required (the user experience is the same as connecting to any open hotspot), but behind the scenes, the traffic is encrypted on the air using the negotiated key . This means that even on a public cafe Wi-Fi, users get individual encryption – a nearby eavesdropper cannot simply capture and read others’ traffic anymore. It’s important to note that OWE does not provide authentication (you still don’t know who the AP is or have a shared secret), so it’s not equivalent to a secure authenticated network. However, it dramatically improves privacy for open Wi-Fi usage by thwarting casual snooping . Wi-Fi Enhanced Open is not technically part of the WPA3 certification, but it was released at the same time and is often discussed in tandem . For any environment offering guest or public Wi-Fi, Enhanced Open (OWE) is a recommended best practice to protect user privacy without the overhead of managing login credentials.

Wi-Fi Easy Connect (DPP) – Simplified IoT Onboarding

Another WPA3-era improvement is Wi-Fi Easy Connect, which is based on the Device Provisioning Protocol (DPP). This feature is designed to securely onboard devices that have no screen or interface – a common scenario in IoT. Anyone who has tried to configure a smart gadget that lacks a keyboard or display knows the pain of typing Wi-Fi passwords indirectly. Easy Connect allows such a device (the enrollee) to be securely added to the network using a mediator device like a smartphone. Typically, the enrollee comes with a QR code (or NFC tag) containing its public key; the user scans this with a phone to authorize the device onto the Wi-Fi network . Behind the scenes, the DPP protocol uses a public-key cryptography exchange to provision the IoT device with the network credentials without ever broadcasting the password itself . The result is a much more secure and user-friendly way to bring headless devices online. For industrial and enterprise IoT deployments, Easy Connect is a boon – it means you can deploy large numbers of IoT sensors or devices and onboard them by scanning codes, rather than inputting PSKs manually or using default passwords. Easy Connect is compatible with both WPA2 and WPA3 networks (the secure onboarding is out-of-band, and the device can then join using WPA2 or WPA3 as supported) . This mechanism reduces the reliance on insecure or hardcoded passwords for IoT devices. As IoT adoption grows, features like DPP help maintain network security without sacrificing convenience.

It’s worth noting that WPA3 is backward-compatible with WPA2. During the transition period, most WPA3-capable access points run in a mixed mode that accepts WPA3 connections but still allows WPA2 for older devices. This ensures that existing devices can still connect, albeit without the new benefits. Adoption of WPA3 has been steady but not lightning-fast – many client devices (especially IoT gear) have long lifecycles and may only support WPA2 . Still, the trend is clear: WPA3 is the future for Wi-Fi security, and over time it will likely become the standard in both consumer and industrial realms as equipment is refreshed. Its enhancements like SAE, PMF, OWE, and DPP provide a much-needed modernization of Wi-Fi’s security for the coming decade.

Real-World Wi-Fi Vulnerabilities and Attacks

Even with strong protocols, real-world attacks against Wi-Fi networks have been a constant over the years – usually targeting the weakest link or exploiting implementation oversights. Here are some notable vulnerabilities that underscore why staying updated is vital:

  • WEP Cracking: WEP’s flaws made it an easy target for hackers. Tools were developed to passively sniff Wi-Fi packets and recover the WEP key by analyzing IV collisions. In practice, a WEP-secured network can be cracked in minutes by capturing a sufficient amount of traffic . Attackers can then decrypt all data or even inject malicious packets. This complete break of WEP is why it was abandoned long ago.
  • TKIP Attacks on WPA: Although WPA addressed the immediate crisis by patching WEP’s issues, researchers eventually found ways to attack TKIP as well. One example was the Beck-Tews attack (circa 2008) which could decrypt small packets by exploiting weaknesses in TKIP’s MIC (Michael) and by sending crafted packets. Other researchers showed methods to inject spoofed packets or do replay attacks on TKIP-encrypted networks . These were complex and limited attacks (nothing like the total defeat of WEP), but they demonstrated that WPA-TKIP was not immune. The safest course for network admins was to move to WPA2/AES and disable TKIP entirely, especially after it was deprecated in 2012 .
  • KRACK on WPA2: The KRACK vulnerability in 2017 was a wake-up call on WPA2’s four-way handshake. By repeatedly resetting and replaying part of the handshake, an attacker could gradually decrypt data by forcing nonce reuse . An important aspect of KRACK is that it was a flaw in the protocol specification (affecting all devices that correctly implemented WPA2) . The attack could let adversaries read information that was assumed to be safely encrypted under WPA2, and in some cases even inject malicious data (like ransomware downloads) into the traffic stream . The good news is that KRACK can be fixed with patches – updating client and AP software/firmware to the patched versions eliminates the vulnerability . This underscores the need for regular updates: if you don’t patch, a known attack like KRACK can remain a hole in your network.
  • Dragonblood on WPA3: WPA3 is very robust, but its early implementation wasn’t flawless. In 2019, security researchers discovered a suite of vulnerabilities dubbed Dragonblood that applied to some early WPA3-Personal (SAE) implementations . These included side-channel leaks that could potentially allow an offline dictionary attack on the SAE handshake, as well as downgrade attacks that trick a device into using WPA2 if both WPA2/3 mixed-mode was enabled . The Wi-Fi Alliance responded by updating the WPA3 certification requirements and vendors issued patches to fix these issues. While the Dragonblood attacks were quite sophisticated and not trivial to pull off, they proved that no new protocol is immune to scrutiny. The lesson: even with WPA3, one should keep firmware updated, and follow recommended configuration guidelines to avoid downgrade scenarios.
  • Dictionary and Social Engineering Attacks: A common thread with any PSK-based network (WPA2-PSK or WPA3-SAE) is the human factor – using weak passwords. Attackers don’t always need cryptographic breakthroughs; often they can guess or obtain the Wi-Fi password through social engineering or by capturing handshakes and brute-forcing weak passphrases. This is why strong passphrases or, even better, enterprise authentication are crucial. WPA3-SAE significantly mitigates offline guessing, but if someone obtains the password through other means (phishing an IT admin, for instance), they can still access the network. Always treat the Wi-Fi password as sensitive and educate users not to share it inappropriately.
  • Rogue Access Points / Evil Twin: Some attacks bypass weaknesses in encryption by targeting user behavior and network configuration. In corporate environments, a classic attack is the “evil twin” AP – an attacker sets up a fake Wi-Fi network with the same name as yours to lure connections. If enterprise clients are not validating server certificates (a historically common misconfiguration in WPA2-Enterprise), they could be tricked into connecting to the rogue AP which then harvests their credentials . Once credentials are stolen, the attacker can use them to authenticate to the real network. This is precisely the scenario that WPA3-Enterprise’s mandatory certificate validation is meant to thwart. The takeaway here is that correct configuration is as important as the protocol strength. A strong protocol used incorrectly can still be broken.

In summary, real-world attacks have targeted every generation of Wi-Fi security – but each new generation has dramatically raised the bar for attackers. By using the latest protocols, keeping systems updated, and configuring networks properly, administrators can stay ahead of the vast majority of threats.

Best Practices for Secure Industrial and IoT Wi-Fi Deployments

Choosing a strong security protocol is the first step, but proper implementation is equally important. This is especially true in industrial and IoT deployments, where devices may have limited interfaces or long lifecycles, and where a breach could have serious consequences (e.g. disrupting critical processes). Here are some best practices wireless engineers should follow to maximize Wi-Fi security:

  • Use the Latest Wi-Fi Security Protocol (WPA3 if possible): Whenever feasible, enable WPA3 on your networks – it offers the strongest protections available today . If some devices don’t support WPA3, use WPA2 with AES (CCMP) as a fallback. Avoid WPA/TKIP, and never use WEP – those legacy protocols are outdated and easily compromised . Upgrading old hardware that only supports insecure protocols is well worth the improved security.
  • Prefer Enterprise Authentication (802.1X) over Shared Passwords: In enterprise or industrial networks with many devices, WPA2/WPA3-Enterprise (802.1X with EAP) is far more secure and scalable than a single shared Wi-Fi password. Each device or user gets unique credentials (or certificates), so a compromise of one doesn’t open the whole network . Enterprise mode also allows centrally managed authentication policies and integrates with directory services. While it requires a RADIUS/AAA server backend, the security payoff is significant – especially for IoT devices that support 802.1X or any scenario where granular access control is needed.
  • Use Strong, Unique Pre-Shared Keys (and consider PPSK for IoT): If you must use Pre-Shared Keys (for example, on a smaller network or for certain IoT devices that can’t do 802.1X), make sure the passphrase is long, complex, and unique to that network. Change it periodically to flush out any unknown sharing. Better yet, some modern WLAN systems support Private PSK / Multiple PSK features, where each device or user gets a unique Wi-Fi password even in a WPA2-Personal network . This isolates the damage if one key is leaked (only that device’s access is affected, not everyone’s) . For IoT deployments, having per-device credentials – whether through PPSK or digital certificates – is a smart way to contain risk and trace device activity.
  • Enable Protected Management Frames and Other Security Features: Make sure to enable Protected Management Frames (PMF) on your Wi-Fi networks if you’re using WPA2. PMF is mandatory in WPA3 , but on WPA2 it might be optional – enabling it helps protect against deauthentication/disassociation attacks by rogue actors. Also consider using network monitoring tools to detect rogue APs or suspicious connections. Many enterprise Wi-Fi systems offer intrusion detection/prevention for wireless threats – use these features to your advantage in an industrial setting where uptime and security are paramount.
  • Keep Firmware and Devices Up-to-Date with Patches: Wi-Fi security protocols (and their implementations) can have flaws discovered years after deployment – as seen with WPA2’s KRACK and WPA3’s Dragonblood issues. Manufacturers typically release firmware updates to patch these vulnerabilities . It is vital to keep your wireless infrastructure (APs, controllers, and clients if possible) updated to the latest stable firmware. Develop a regular schedule to check for and apply security patches. Likewise, replace or isolate devices that no longer receive updates. An unpatched AP or IoT device can be the weak link an attacker targets.

In addition to the above, standard security hygiene applies: segment your network (e.g., keep IoT devices on a separate VLAN or network segment with limited access to critical systems) to mitigate damage if a device is compromised, use strong monitoring and logging to detect anomalies, and educate personnel about the dangers of unauthorized APs or sharing passwords. By combining the best available Wi-Fi security protocol with rigorous best practices, you can achieve a robust wireless security posture for industrial and IoT environments that rivals that of wired networks.

Conclusion

Wi-Fi security has come a long way from the days of WEP’s “wired equivalent” (which turned out to be not equivalent at all) to the modern resilience of WPA3. Each iteration – WPA, WPA2, WPA3 – has raised the security bar, incorporating stronger encryption and authentication methods to counter new threats and attack techniques. For wireless engineers, it’s crucial to stay informed about these protocol developments and to implement them thoughtfully. Industrial and IoT networks present unique challenges with legacy devices and mission-critical reliability needs, but following the principles outlined above will help ensure that connectivity does not come at the expense of security. In summary, use the strongest protocols available, configure them correctly, keep everything updated, and remain vigilant. Wi-Fi may broadcast over invisible airwaves, but with the right security in place, your network’s defenses will be far from transparent to any would-be intruders. Secure Wi-Fi is not a set-and-forget task – it’s an ongoing commitment to adapt and uphold best practices as technology evolves . By doing so, you can reap the benefits of wireless freedom without opening the door to unwelcome guests on your network.

Learn more about Ezurio’s line of Wi-Fi and Wi-Fi + Bluetooth modules at www.ezurio.com/wifi.

Courtesy of Ezurio

share post: