At eero, nothing is more important to us than keeping your devices and family members safe on the internet. As we continue to develop security tools as part of eero Secure to keep your family’s personal information, devices, and network protected from online threats, we also want to make sure core networking security stays up-to-date and continually evolves. To that end, we’re launching Wi-Fi Protected Access version 3 (WPA3 for short). In this post, we’ll discuss how you can enable WPA3 on your eero network, what it is, and why it’s a leap forward for wifi security.
How to enable WPA3 for eero networks
Enabling WPA3 through your eero app is done through the eero Labs section under Discover -> eero Labs -> WPA3.
When you turn the feature on, it is enabled immediately – no need to restart your network.
By default, all eero Labs features are turned off, and you can enable and disable them as you wish. The features found in eero Labs are innovative and experimental. Every feature is tested extensively, but they are considered as beta and may still have some room for improvement.
What we launched
WPA3 has two modes: Personal and Enterprise. As a whole home wifi solution, eero has launched WPA3-Personal mode.
WPA3 can be implemented in two ways, transition mode or WPA3-only mode. We have chosen to implement transition mode for our initial release. This provides backwards compatibility, letting newer devices use WPA3 while allowing older WPA2 only devices to remain connected to the same network. Since WPA3 is not backward compatible, devices that do not support it still need to be able to connect using WPA2, which is not possible with WPA3-only mode. Client devices live on for years in a home and it will take time to see them replaced with WPA3 capable devices. Since the full adoption of WPA3 will take some time, transition mode will help us bridge the gap. In the future, we’ll be able to offer the option for WPA3-only networks without WPA2 support, allowing devices to take full advantage of the security benefits of WPA3.
Even though transition mode is designed to support WPA2 and WPA3 simultaneously, our testing has revealed interoperability issues with some legacy devices. For more details about symptoms and a list of products with known issues, please check our WPA3 help center article.
The foundations of WPA3 security for the home: SAE and PMF
WPA3 is built on two key security features, Simultaneous Authentication of Equals (SAE) and Protected Management Frames (PMF). eero has used both of these advanced technologies since 2016 to authenticate TrueMesh links between eeros. We are happy to see these methods make their way into client connectivity as part of WPA3.
WPA3 provides several advantages over previous technologies by using SAE and PMF:
- Protection against offline password guessing attacks
- Stronger cryptographic protocols and forward secrecy
- Protected management frames
SAE is based on a “Symmetric Password-Authenticated Key Exchange” (sPAKE) scheme called Dragonfly, defined in IETF RFC 7664. As the SAE name indicates, this protocol lets two parties verify that the other knows a secure password without actually sharing the password. The improved cryptography in SAE provides two major benefits: offline attack resistance and forward secrecy.
With older versions of wifi security, attackers were able to capture some wireless network traffic and then try guessing the password “offline” – using as many computers as they have access to, without having to actually try each guess on your wireless network. Offline attack resistance forces the attacker to be within range of your wireless network every time they try to guess your wireless network password. By requiring the attacker to be “online”, your network can control how many guesses are allowed, making this type of password guessing attack nearly impossible.
Forward secrecy means that an attacker who is able to capture encrypted wireless traffic from your network needs to have the encryption keys before they get the traffic in order to decrypt it. Weaker cryptographic protocols allow an attacker to capture your encrypted data over a period of time and later decrypt it if and when they get a hold of the encryption keys (which, for a WPA2 network, generally means the network password). In fact, with SAE, even knowing the network password is not enough to derive the encryption keys. This means that even if an attacker has your wifi password, they still won’t be able to decrypt your data.
Protected Management Frames (PMF) have been part of the wifi standard since 2009. It is used to secure the management frames that are exchanged over the air for forming connections, exchanging information, roaming, etc. PMF, also known as MFP, prevents others nearby from “eavesdropping” on wifi management traffic and impersonating that traffic. For example, without PMF it is possible for a bad actor to launch what’s called a “deauthentication attack” where a bad actor can disconnect you from your router every time you connect, causing a Denial of Service. WPA3 makes PMF a mandatory feature for client devices and access points, taking security to the next level.
Is WPA2 no longer secure?
Your WPA2 network is as secure today as it was yesterday, and no major WPA2 vulnerabilities have been announced recently. WPA3 is part of the continued evolution of wifi standards, and it may take some time for all of your connected devices to support the latest security.
If you are stuck using WPA2 for now, the one thing you must do to remain secure is to use a strong network password. The most realistic attack on a WPA2 network continues to be password guessing – if your password is short or predictable, a hacker is much more likely to be able to eventually guess it. A complex passphrase will make this impractical for all but the most determined and well-resourced adversary.
If you need to share your network password with people, consider using eero’s Guest Network feature to create a separate password.This also puts guest devices on a separate network which can only reach the internet, not other devices in your home.
If you need tips on choosing a good password, check out our blog post on password security, then store your secure password in a password manager such as 1Password. And finally, if you enable the New Device Notification feature in the eero app, if a hacker manages to get hold of your wifi password and joins your network the eero app will notify you about the new device. Then, you can quickly block them and replace your password.
Since day 1, eero has been dedicated to improving internet connectivity in your home with every software update. With the release of eeroOS v3.19.0 we added various fixes, DFS channel support in the U.S. and Canada for eero Pro, and last but not least WPA3 support. This update is available to all eero models.
We are excited to raise the security bar for all of our customers with WPA3. And we hope this will help accelerate the adoption of WPA3 by both client device and access point manufacturers.
If our work sounds interesting to you, we’re hiring! Please check out our careers page for details.
Authors: Peter Oh, technical lead, and Mete Rodoper, engineering manager at Mesh/Wifi team, Rob Chahin, head of security and Gabe Kassel, product manager at eero.