WEP was cracked in 2001. WPA was a stopgap that inherited too much from its predecessor. WPA2 held for over a decade before KRACK proved it had a fundamental flaw in its handshake. WPA3 arrived promising to fix everything — and within a year, the Dragonblood vulnerabilities showed it had problems of its own. The pattern is relentless: every wireless security protocol arrives with confidence and leaves with CVEs. If you’re broadcasting an SSID, you’re broadcasting an invitation. The question is whether the lock on the door is worth anything.
The TLDR
WiFi security has evolved through four generations. WEP (1999) used RC4 with static keys and reused initialization vectors — completely broken, crackable in minutes. WPA (2003) added TKIP as a temporary fix, still flawed. WPA2 (2004) introduced AES-CCMP and held as the standard until the KRACK attack (2017) exploited its four-way handshake. WPA3 (2018) replaced the pre-shared key exchange with SAE (Simultaneous Authentication of Equals), providing forward secrecy and resistance to offline dictionary attacks — but the Dragonblood vulnerabilities found side-channel and downgrade weaknesses. Enterprise environments use 802.1X/RADIUS for certificate-based authentication. The attacks never stop: evil twins, deauthentication, PMKID capture, and rogue APs remain viable regardless of which protocol you’re running.
The Reality
WiFi is inherently more exposed than wired networking. Your traffic is broadcast through the air, receivable by anyone within range — and “range” with a directional antenna can be much farther than the spec sheet suggests. Every coffee shop, hotel, airport, and apartment building is a wireless battlefield where your device is constantly probing, connecting, and transmitting in ways you don’t control and probably don’t realize.
The KRACK attack (Key Reinstallation Attacks) in 2017 was a wake-up call. Mathy Vanhoef demonstrated that every correct implementation of WPA2 was vulnerable — it wasn’t a bug in specific vendors, it was a flaw in the protocol specification itself. An attacker in range could force key reinstallation, replay encrypted packets, and in some configurations decrypt traffic or inject data. The entire internet ran on WPA2, and the entire internet was vulnerable.
NIST SP 800-153 (Guidelines for Securing Wireless Local Area Networks) provides the framework, but the reality on the ground is that most wireless networks are configured once and forgotten — running outdated protocols, using weak passwords, and broadcasting to anyone who cares to listen.
How It Works
WEP — The Cautionary Tale
Wired Equivalent Privacy (WEP) was ratified in 1999 with the promise right there in the name — privacy equivalent to a wired connection. It used the RC4 stream cipher with a 24-bit initialization vector (IV). The problems were fundamental:
- 24-bit IV space: Only 16.7 million possible IVs. On a busy network, IVs repeat within hours. When two packets use the same IV, an attacker can XOR them together and recover the plaintext.
- Static keys: The WEP key doesn’t change. Everyone on the network shares the same key. Capture enough packets, and you can derive it.
- No integrity protection worth mentioning: WEP used CRC-32, which is a checksum, not a cryptographic integrity check. Attackers could modify packets and recalculate the CRC without knowing the key.
The FMS attack (Fluhrer, Mantin, Shamir, 2001) showed that certain weak IVs leaked information about the key. Tools like aircrack-ng can crack a WEP key in under five minutes on a moderately busy network. If you’re still running WEP anywhere, it provides literally no security. None. Stop it.
WPA — The Band-Aid
WiFi Protected Access (WPA) was a rushed response while the industry worked on WPA2. It used TKIP (Temporal Key Integrity Protocol), which wrapped RC4 with per-packet key mixing, a 48-bit IV (instead of 24), and a proper message integrity check (Michael MIC).
TKIP was better than WEP, but it was constrained by needing to run on WEP-era hardware with firmware updates only. The Michael MIC was weak enough that the Beck-Tews attack (2008) could inject short packets. TKIP served its purpose as a transition mechanism, but it was always a compromise. It’s deprecated. Don’t use it.
WPA2 — The Standard (With a Flaw)
WPA2 (IEEE 802.11i) replaced TKIP with AES-CCMP (Counter Mode with CBC-MAC Protocol) — a proper authenticated encryption scheme. This was the real fix. AES-CCMP provides confidentiality, integrity, and authentication in one package.
The Four-Way Handshake: WPA2 authenticates clients through a four-way handshake that derives a session-specific Pairwise Transient Key (PTK) from the Pre-Shared Key (PSK), the SSID, and random nonces from both sides:
- AP sends a nonce (ANonce) to the client
- Client generates its own nonce (SNonce), derives the PTK, sends SNonce + MIC
- AP derives the PTK, sends the Group Temporal Key (GTK) encrypted
- Client confirms installation
This handshake was considered secure for 13 years. Then KRACK happened.
KRACK (CVE-2017-13077 through CVE-2017-13088): Vanhoef discovered that an attacker could manipulate and replay handshake message 3, causing the client to reinstall an already-in-use key with reset nonces. In WPA2 with AES-CCMP, this allowed packet replay and decryption. With TKIP or GCMP, it was worse — the attacker could forge and inject packets. The vulnerability affected the protocol specification, meaning every compliant implementation was vulnerable.
WPA3 — The New Standard
WPA3 (2018) addresses WPA2’s weaknesses with several fundamental changes:
SAE (Simultaneous Authentication of Equals): Replaces the PSK four-way handshake with the Dragonfly key exchange, a password-authenticated key exchange (PAKE) protocol. SAE provides:
- Forward secrecy: Each session generates unique keys. Capturing today’s handshake and cracking the password tomorrow doesn’t let you decrypt today’s traffic.
- Offline dictionary attack resistance: Unlike WPA2-PSK where an attacker can capture the handshake and run offline brute-force attacks against it, SAE requires an active exchange for each password guess. This makes dictionary attacks orders of magnitude slower.
- Protection against KRACK-style attacks: SAE’s key derivation doesn’t have the reinstallation vulnerability.
Dragonblood Vulnerabilities (2019): Within a year of WPA3’s release, Vanhoef (again) found weaknesses in the Dragonfly handshake. Side-channel attacks could leak information about the password through timing differences and cache access patterns. Downgrade attacks could force a WPA3 network to fall back to WPA2 if both modes were supported (transition mode). Implementation-specific vulnerabilities in various vendors’ SAE implementations allowed password partitioning attacks. Patches were issued, but it reinforced the pattern: new protocol, new attacks, new patches.
Enterprise Mode — 802.1X/RADIUS
Both WPA2-Enterprise and WPA3-Enterprise replace the pre-shared key with 802.1X authentication, which uses a RADIUS server for centralized credential verification. Each person authenticates individually — there’s no shared password.
The most common EAP (Extensible Authentication Protocol) methods:
- EAP-TLS: Certificate-based, mutual authentication. The gold standard. Each client has its own certificate.
- PEAP (Protected EAP): Creates a TLS tunnel, then runs MSCHAPv2 inside it. Easier to deploy than EAP-TLS, but weaker.
- EAP-TTLS: Similar to PEAP but more flexible in the inner authentication method.
Enterprise mode eliminates the shared-password problem entirely. When someone leaves the organization, you revoke their credentials. With a PSK, everyone uses the same password, and changing it means reconfiguring every device.
How It Gets Exploited
Evil Twin Attacks
An attacker sets up a rogue access point with the same SSID as a legitimate network. Devices that have previously connected to that SSID may automatically connect to the stronger signal — the attacker’s AP. From there, the attacker is in a perfect position to intercept all traffic, serve fake login portals, and capture credentials.
Deauthentication Attacks
The 802.11 management frames used for deauthentication are not encrypted or authenticated in WPA2. An attacker can send forged deauth frames, disconnecting a client from the legitimate AP. The client then reconnects — either to the legitimate AP (allowing the attacker to capture the four-way handshake for offline cracking) or to an evil twin. WPA3 and 802.11w (Protected Management Frames) mitigate this, but only if both the AP and client support it.
PMKID Capture
Discovered in 2018, the PMKID attack captures the Pairwise Master Key Identifier from the first message of the four-way handshake — no client required. The attacker only needs to send an association request to the AP and capture the PMKID from the response. They can then perform offline dictionary attacks against the captured PMKID. This works against WPA2-PSK networks and requires no existing clients to be connected.
Rogue Access Points
An unauthorized AP connected to the corporate network provides a backdoor. An attacker (or a well-meaning employee who plugs in a personal router) creates an uncontrolled entry point that bypasses network security controls. Wireless intrusion detection systems (WIDS) scan for rogue APs, but they require active monitoring. MITRE ATT&CK T1557.003 documents adversary-in-the-middle techniques via DHCP/ARP spoofing that rogue APs facilitate.
What You Can Do
Use WPA3 if your hardware supports it. If not, WPA2 with AES-CCMP only (no TKIP). Check your router’s settings and verify the encryption mode — some routers default to “WPA2/WPA mixed mode” which enables TKIP. Disable it.
Use long, random passphrases for PSK networks. WPA2-PSK is vulnerable to offline dictionary attacks. A 20+ character random passphrase generated by a password manager makes brute-force impractical.
Enable 802.11w (Protected Management Frames). This encrypts management frames (including deauthentication), preventing deauth attacks. Required by WPA3, optional in WPA2.
Deploy 802.1X for any serious environment. Enterprise authentication with RADIUS eliminates the shared-password problem and provides per-person, per-device authentication with revocation capability.
Isolate your wireless network. Guest WiFi should be on its own VLAN with internet access only — no route to internal resources. IoT devices on their own segment. Your primary WiFi should be treated as semi-trusted at best.
Monitor for rogue APs. Conduct periodic wireless surveys. Use your wireless controller’s rogue AP detection or deploy dedicated WIDS sensors. An unauthorized access point is a hole in your perimeter.