Wpa3

WiFi alliance has published WPA3 OFFICIAL

please keep us up-to-date when this will be available

We checked and seems there is still some work to do. We expect the earliest support for WPA3 will be end of this year. Openwrt may add a little bit late.

This is chip related I think.

hi alzhao,

wpa3 is now available on ubuntu 19.10. Do you know when it will be available on the AR750 ?

Tony

Seems like OpenWRT is still working on getting that ready, at least looking here:

My guess is when OpenWRT 19.07 is out, there might be support for it. Unfortunately 19.07 has been delayed since the summer, without any kind of hint as to when it will be released.

GL-iNet only makes new firmware’s based on the latest releases, so that customers have the most stable version. There is no point to develop on top of something that isn’t ready, just to fight with a lot of issues and bugs.

WPA3 need to be supported by chipset, right?

No, it looks to be just a protocol update, so software + firmware update only :slight_smile:

1 Like

Thanks for your comments. I appreciate them. I am looking forward to the OPENWRT update becoming available.

There’s a fair amount of interop issues with WPA3 and mixed clients - folks are working it…

It’s mostly the mixed-mode stuff and fallbacks for older client implementations for devices.

Well seems like 19.06 won’t have WPA3 after all. Looking at these messages:

https://lists.infradead.org/pipermail/openwrt-devel/2019-October/019293.html
https://lists.infradead.org/pipermail/openwrt-devel/2019-October/019346.html

And the fact that 19.06 RC1 was released yesterday, it seems like WPA3 has been pushed back to version 20.03.

Sorry guys that wanted WPA3 soon.

Here’s one example - folks are working thru challenges of WPA3, but please be patient.

Some of it is OpenWRT devs, and also upstream - and client interoperability is an absolute must - this particular checkin is touching just one item.

commit 3034f8c3b85e70b1dd9b4cd5cd33e9d2cd8be3b8
Date:   Mon Oct 28 19:10:14 2019 +0100

hostapd: enable PMKSA and OK caching for WPA3-Personal

This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Some people might not be aware but having WPA3 on a GL router does not guarantee that you will even be able to use it.

For example, users on Windows need to be running the May 2019 Update, and for example with Intel cards which most laptops use, only these have support for WPA3:

  • Intel® Wi-Fi 6 AX201
  • Intel® Wi-Fi 6 AX200
  • Intel® Wireless-AC 9560
  • Intel® Wireless-AC 9462
  • Intel® Wireless-AC 9461
  • Intel® Wireless-AC 9260

My 2 year old laptop did not have one of those cards, but i did swap it out for another reason.

Apple users need to be on iOS13 or later.

Android users need to use Android Q aka Android 10, which is also a limited list of devices that currently have it:

  • Google Pixel 4
  • Google Pixel 3 / Pixel 3 XL
  • Google Pixel 3a / Pixel 3a XL
  • Google Pixel 2 / Pixel 2 XL
  • Google Pixel / Pixel XL
  • Essential Phone
  • OnePlus 7T
  • OnePlus 7T Pro

Samsung, Huawei and others will probably only update their latest flagships to Android 10, all older phones will be left in the dark as usual. Those updates won’t happen until the beginning of 2020.

And the cherry on top is this:

The Wi-Fi Alliance then made some suggestions on how to fix it, which ironically caused more side attacks, woopsie :slight_smile:

It will probably only be fixed when WPA3.1 or something like that is made standard in another 10 years.

You can read more directly from the researchers that found the vulnerabilities here:

https://wpa3.mathyvanhoef.com/

So kids, stick to using LAN cables if you want to be more secure or always use a VPN when on wifi :stuck_out_tongue:

1 Like

WPA3 has it’s issues… it’s not as bad as it sounds, as 2019 seems to be the year of “named” vulnerabilities - meltdown/spectre anybody?

The bigger problem is stupid clients on wifi period - case in point - Ring Doorbells sending credentials in plaintext

In the larger scope however, unless all equipment on the WLAN is WPA3, one will have to run in mixed mode to support WPA2 clients.