WPA status - WiFi Security and WiFi7

[CaptainSTX]

Yeah, and for different reasons - I've seen most carrier gateways do the WPA2 approach, mostly because it keeps support calls to a minimum...

WiFi-Alliance has kept WPA3 support as a must for certification since 2019 - but there's a lot of devices that have not gone thru WFA testing, as it's an optional thing.

As the thread here indicated - to get the most out of WiFi7, WPA3 is a must, but this adds issues with legacy devices that cannot support WPA3.

Scanning nearby networks ISP gateways in addition to their default WPA2 they also show as AES-TKIP again to probably reduce support calls.

My personal experience with a Honeywell thermostat purchased in 2015 is that it will only connect to an SSID that offers AES-TKIP which isn't available on the most recent versions of Merlin's firmware. Until all the cheap IoT devices have become e-waste WPA3 isn't a good option for most residential locations.

 

[Tech9]

cheap IoT devices

Are there any new IoT devices with 802.11ax/WPA3 on 2.4GHz support?

 

[sfx2000]

Are there any new IoT devices with 802.11ax/WPA3 on 2.4GHz support?

The chipsets are out there... here's a few that are focused on IoT

ESP32-C61: Delivering Affordable Wi-Fi 6 Connectivity | Espressif Systems

ESP32-C61 marks Espressif's response to a significant demand for Wi-Fi 6 technology, offering optimized peripherals, improved connectivity, and increased memory options.

www.espressif.com

Wi-Fi 6

NXP offers a complete portfolio of highly optimized wireless connectivity solutions including Wi-Fi 6 (802.11ax).

www.nxp.com

Wi-Fi® 6 | TI.com

Affordability meets reliability with optimized features for network efficiency and power saving

www.ti.com

https://www.st.com/content/st_com/en/campaigns/st67w-wifi6-bluetooth-thread-module-z13.html

Nordic - Wi-Fi

Nordic Semiconductor is a leading provider of low-power wireless communication solutions, utilizing decades of ultra-low-power wireless expertise to maximize Wi-Fi’s low-power potential in various applications including home automation, smart lighting, and other IoT devices.

www.nordicsemi.com

 

[Ripshod]

Are there any new IoT devices with 802.11ax/WPA3 on 2.4GHz support?

Just tested this. I have just one device that will connect quite freely to an ax/WPA3 network - my washing machine. Other than that all my IoT devices trip up on wpa3, though they all connect just fine to a combined wpa2/wpa3 network.

 

[Tech9]

Other than that all my IoT devices trip up on wpa3

Common situation. If you can separate all WPA2 only devices on a different VLAN and run WPA3 only on your main VLAN - you have potential WPA3 benefits. Different SSID with WPA2 or WPA2/WPA3 with access to main VLAN - down to WPA2 security level. And this security level is still quite high because possible attack is local only (your WLAN limits) and depends on some luck (the key has to be brute-forced). With complex key it may take years. So WPA2 is in theory less secure, but in reality hard to break.

 

[thiggins]

The real question is whether anyone is still using WEP. As much as I like my Apple devices (no haters please) Apple is useless for reporting network connection details.

 

[Tech9]

As much as I like my Apple devices

See this for "Apple in networking" (Ubiquiti):

https://community.ui.com/questions/Add-connection-type-like-Open-Enhanced-open-Enhanced-Open-Transitional-or-WiFi-Encryption-mode-WPA-/b612fe2e-0084-4366-bf37-b5e1fcea33db?page=1

When Apple/Ubiquiti decide you don't need this information - you're not getting it. When they decide you shouldn't be using specific option from specific point on - it just disappears from the list of available options.

If I want to use an old device with WEP/WPA only support or connecting with WPS and I'm willing to accept all the risks... my network after all, want to do whatever I like with it - nope, security issue, can't have it.

 

[RMerlin]

The real question is whether anyone is still using WEP. As much as I like my Apple devices (no haters please) Apple is useless for reporting network connection details.

I can't remember when was the last WEP-only device that came into my hands, but my last WPA (not WPA2) device was a Sony PSP that I gave away to a friend many years ago. And at that time it had already been gathering dust in a drawer for a few years, so - pretty old.

 

[sfx2000]

The real question is whether anyone is still using WEP. As much as I like my Apple devices (no haters please) Apple is useless for reporting network connection details.

For MacOS - hold down the Option key while picking the wifi menu, and details are there...

iPhone/iPad/Apple TV unfortunately don't have that ability.

 

[sfx2000]

The real question is whether anyone is still using WEP

I can't see using WEP on a regular basis - there might be a corner case for those that have the retrocomputing hobby, and there, one could temporarily stand up an AP just for that purpose and then take it down once the session is completed...

 

[sfx2000]

My personal experience with a Honeywell thermostat purchased in 2015 is that it will only connect to an SSID that offers AES-TKIP which isn't available on the most recent versions of Merlin's firmware. Until all the cheap IoT devices have become e-waste WPA3 isn't a good option for most residential locations.

Just want to add here is that AES-TKIP are just the ciphering modes for WPA/WPA2...

One should not be using TKIP as this cipher is completely broken these days - CCMP (AES) is the minimum, and that should work for both WPA and WPA2...

Unfortunately there are some old WPA clients that only do TKIP - 11b and 11g in the Post-WEP transition - if one recalls, WPA-TKIP was designed to work with the legacy WEP enabled wireless chipsets...

Anyways, we're getting way off the topic - topic being considerations for WiFi7 and the WPA3 requirement there for EHT modes (and MLO) in all support frequency bands/blocks...

Should also add that in WPA3 - GCMP256 can lead to performance issues with older clients that do support WPA3... and older AP chipsets, same thing - they can do it, but it's SW, not HW for the AES accelerator blocks...

Same goes with WPA2/WPA3 mixed - as PMF is optional there (PMF is required for WPA3) - there are client chipsets that get into a dark place with the Groupwise Keying for PMF that force them into SW decode - I hate to say this, but the most common one there was a Broadcom BCM4339 fullmac chip - which is common in many mobile phones...

 

[Tech9]

I have one more reason to stay on WPA2-Personal - my 2.4GHz/5GHz SSIDs carry 2x VLANs each with Private Pre-Shared Keys. I don't have separate Guest Network, I have Guest password. Whatever client uses it lands on isolated VLAN. Very easy and convenient.

 

[sfx2000]

I have one more reason to stay on WPA2-Personal - my 2.4GHz/5GHz SSIDs carry 2x VLANs each with Private Pre-Shared Keys. I don't have separate Guest Network, I have Guest password. Whatever client uses it lands on isolated VLAN. Very easy and convenient.

As long as it works, that's fine...

WFA guidance is similar - two SSID's - one for WiFi7/WPA3, and one for legacy on WPA2 (or WPA2/3)

From a design perspective, doing the legacy isolation at the bridge is likely best practice, versus doing AP style client isolation...

But this still doesn't solve interop for LAN based services for legacy devices.

 

[CaptainSTX]

Just want to add here is that AES-TKIP are just the ciphering modes for WPA/WPA2...

One should not be using TKIP as this cipher is completely broken these days - CCMP (AES) is the minimum, and that should work for both WPA and WPA2...

Unfortunately there are some old WPA clients that only do TKIP - 11b and 11g in the Post-WEP transition - if one recalls, WPA-TKIP was designed to work with the legacy WEP enabled wireless chipsets...

Anyways, we're getting way off the topic - topic being considerations for WiFi7 and the WPA3 requirement there for EHT modes (and MLO) in all support frequency bands/blocks...

Should also add that in WPA3 - GCMP256 can lead to performance issues with older clients that do support WPA3... and older AP chipsets, same thing - they can do it, but it's SW, not HW for the AES accelerator blocks...

Same goes with WPA2/WPA3 mixed - as PMF is optional there (PMF is required for WPA3) - there are client chipsets that get into a dark place with the Groupwise Keying for PMF that force them into SW decode - I hate to say this, but the most common one there was a Broadcom BCM4339 fullmac chip - which is common in many mobile phones...

In principle I agree nobody should be running AES-TKIP anymore as it is insecure. I just don't want to spend $140-$170 to replace a ten-year-old Wi-Fi enabled thermostat that other than the outdated Wi-Fi functions perfectly. Instead, I have the thermostat connecting to an old travel router setup as an AP connected to my primary router. The AP is on a subnetted VLAN to help protect my more secure devices and I also have the IP pool available to devices connecting to the AP is restricted to a pool of two available IPs. Power of the Wi-Fi signal is very low so the SSID can barely be detected outside the walls of my home.

 

[sfx2000]

In principle I agree nobody should be running AES-TKIP anymore as it is insecure.

Again - just to be clear - TKIP is one thing, and AES is another...

WPA-TKIP
WPA2-AES

Gets mixed up when one is doing WPA/WPA2 - as pairwise keys are AES for WPA2 client, and groupwise keys for all are TKIP - that's pretty messy, as TKIP and WPA are totally owned and insecure - it's trivial these days to break it...

The challenge these days, and @Tech9 was kind enough to point this out - WPA3 is good, but when looking at WPA2/3 mixed, it does get complicated...

In that WPA2/3 mixed environment - one has to consider the group wise keying, aka the GTK - and as @Tech9 points out, this is a concern...

Would be nice if the industry can get rid of the WPA-TKIP, along with 802.11b legacy - these are both taxes on performance...

Minimum spec for 2.4 should be g/n/ax/be and WPA2-AES... removing 11b and WPA-TKIP support makes 2.4 much more useful...

WiFi alliance is pushing things in this direction...

 

[sfx2000]

The real question is whether anyone is still using WEP. As much as I like my Apple devices (no haters please) Apple is useless for reporting network connection details.

@thiggins - how many Apple devices you have that require WEP?

I've got an ath9k build that supports WEP if you need it...

 

[tgl]

@thiggins - how many Apple devices you have that require WEP?

I think Tim's point was that iOS devices are miserable about revealing what the wifi connection details are. Which is a totally fair criticism, especially since it would be so easy to make that info available somewhere.

 

[sfx2000]

I think Tim's point was that iOS devices are miserable about revealing what the wifi connection details are. Which is a totally fair criticism, especially since it would be so easy to make that info available somewhere.

Again - we're getting off topic...