Key Wi-Fi security protocol is vulnerable to attack

All technology depends on technology that has gone before it.

Sometimes the former technology needs to be revisited, to check it is still fit for contemporary purposes.

Such is the case with the WPA2 security protocol, used to encrypt Wi-Fi traffic.

It seems that it has a vulnerability that can be exploited by the ‘KRACK’ attack to decrypt traffic, and in some cases even inject malware into the traffic.

Because the vulnerability is in a protocol that is part of the Wi-Fi specification, it can affect every device that uses Wi-Fi.

Fortunately, this vulnerability was found by researchers, so Wi-Fi equipment makers were made aware of it before it was made public.

Some have already provided fixes for the vulnerability, and some soon will.

However, some equipment will inevitably not get updated, even if the fix exists, so they will be an attack target for years to come.

More detail:

Are technological advances plateauing?

The background

Deepening specialisations, along with standardisation, have enabled increasingly sophisticated systems to be created.

People need and want things that require more sophisticated systems.

More sophistication entails more complexity.


  1. Self-evidently, one person’s ability to create increasingly complex but reliable systems, has a limit
  2. The more people engaged in an endeavour, the less productive they become at delivering it, until it becomes unaffordable, or progress halts

Problem 1: This cannot easily be much affected, because most people have a broadly similar ability.

Problem 2: Techniques exist to mitigate this, such as using a lower cost workforce, dividing systems into loosely coupled less complex subsystems, and changing work practices to more specialised roles with narrower tool sets. However, none of them actually prevent the declining productivity as teams grow.


A recent article in The Register points to a recently published paper, which claims “… that research effort is rising substantially while research productivity is declining sharply.”

Possible reactions

  1. Accept this plateaux in technological advances for fields that have been highly developed
  2. Grow user bases to support the extra R&D staff required, although this reduces choice and competition
  3. Reduce the dependency on human effort of developing sophistication, using for example AI techniques

802.11ad clients

Qualcomm have announced the Asus ZenFone 4 Pro will be the world’s first commercial smartphone to have 802.11ad. Asus also mention the 802.11ad capability.

There have been a few 802.11ad capable ‘prosumer routers’ available for a while, by Asus Netgear and TP-Link, so their makers must be pleased that finally users might seek them out based on that capability.

The high speed of 802.11ad makes it spectrum and time efficient, because to move an amount of data the radio can be off more of the time than a slower radio. Firstly, this means it will not occupy the spectrum (a finite resource) as much of the time. Secondly, it could potentially consume less power – always a good thing, especially for battery powered devices like smartphones.

Perhaps more interestingly, 802.11ad has an inherently short range. For a wireless personal area network (WPAN) this is a good thing. Obviously a WPAN only needs a short range, and if signals travel further than required they again reduce spectrum efficiency, because they occupy spectrum in areas where other WPANs could use it.

Wi-Fi Aware

The ability for Wi-Fi enabled devices to automatically discover each other and understand each other’s public Wi-Fi offerings is a powerful enabler for point to point Wi-Fi connectivity. Standards based ad hoc point to point Wi-Fi connections are currently quite a manual arrangement and so have seen little usage. Attempts to initiate such connections using Bluetooth and NFC have lowered the hurdle, but pre-emptively discovered potential connections via Wi-Fi Aware will make it much easier.
As is very often the case the full potential of technology is unlocked by widely or ideally universal standards, so Wi-Fi Aware promises to create new possibilities.

Mobile network operators using unlicensed spectrum

Obviously MNOs using unlicensed spectrum disadvantages others operating in that spectrum. The freedom to setup wireless networks for distinct needs without the burden of licenses for its use is an important right that has and will continue to enable innovation and advances in wireless technology. If allowed, MNOs could easily subvert that resource.
The existence of the IEEE 802.19 Wireless Coexistence Working Group to addresses coexistence between wireless standards of unlicensed devices, and in particular its Coexistence in Unlicensed Bands Study Group, is late but welcome. Perhaps equipment working in the unlicensed spectrum will ultimately be required to conform to a coexistence protocol that can be mandated by the ETSI et al. Although and extra burden on those developing for unlicensed frequencies it would ultimately be a benefit as we move to higher utilisation.

Ofcom and 5G mobile services

From 16 January 2015 to 27 February 2015, Ofcom (regulator of spectrum in the UK) is asking “for stakeholder input on spectrum bands above 6 GHz that might be suitable for future mobile communication services.”
This is being broadly termed ‘5G mobile services’.
Although no standards yet exist and the technology is certainly inchoate, wireless technology develops quickly, so it is good to see Ofcom getting involved at this time.

Also on 12 March 2015 Ofcom is hosting a “debate to explore the impact of new mobile and wireless broadband technologies, including those underpinning 5G, on spectrum regulation and management.”

WiGig in mobile devices

Qualcomm has acquired Wilocity, a maker of chipsets for the 60 GHz wireless band – IEEE 802.11ad. Qualcomm chipsets for mobile devices are to be enabled in this band, so we should see rapid growth of 60 GHz (WiGig) inclusion in mobile devices.

Short range high throughput and out of band with existing WiFi, WiGig creates new opportunities. WiGig data transport from cheap low power small infrastructure equipment (see our thinking on Myrmidon access points) will be a great enabler for ubiquitous high throughput wireless connectivity. As consumer devices provide a rapid rollout of endpoints for WiGig so the ROI for this kind of access point becomes much better. Expect to see this new kind of access point coming to market in the short to medium term. A network built using them will make a form of ‘fog computing’ more viable, because high bandwidth wireless connectivity to proximate processing and storage services will have significant advantages over longer more contended network paths.

Dual band radios in mobile devices have been around for some time, and tri-band radios will be arriving soon. At some point it will become feasible to provide two or three concurrent radios in mobile devices with the obvious associated advantages. The question is when will such radio arrays arrive? Power consumption is probably the main constraint for this kind of connectivity. Battery technology is subject to intense research and we should expect impressive improvements to come to market soon. Nonetheless, concurrent multi-radio solutions need a rapid way to bring radios in and out of service to reduce power consumption.

MU-MIMO soon and trends

In April Qualcomm announced their forthcoming 802.11ac MU-MIMO chipsets. These include the QCA 9990 and QCA 9992 chipsets for business grade access points with 4 and 3 stream radios respectively. Their client device chipsets provide 1 and 2 streams. All these MU-MIMO chipsets provide up to 80 MHz channel width, not 160 MHz. Their highest link speed is then 1.73 Gbps on 4 stream access point and ‘home router’ chipsets, while their client device chipsets with 2 streams have a highest link speed of 867 Mbps. So, for an all Qualcomm setup the upper limits for access points and ‘home routers’ are more usefully considered as aggregate capacity limits, e.g. two 2 stream clients could in theory transfer at 1.73 Gbps. In practice of course it is more likely to be about half of that or less. As these chipsets were “expected to sample in the second quarter of 2014” we can expect them in the products in the second half of 2014, along with some of their competitors – Broadcom and Quantenna have made similar announcements.

With MU-MIMO access points can service multiple stations simultaneously, so the available streams can be more fully utilised. The most important effect of this is to effectively increase the capacity of the spectrum. Obviously this is good news for WLAN owners and managers who have spectrum operating around capacity. Although MU-MIMO does not make a connection faster than before, it does provide more uncontended air time to clients, so they should also feel the benefit as better transfer times.

As MU-MIMO is compute expensive we are going to see more PoE+ equipment. As more channels are available in the 5 GHz band, and they are being added to, it makes sense for access points with two or more radios with omnidirectional antennas to be deployed where spectrum is highly utilised. This will add further to power requirements so we may see a growing market for mid-span PoE+ injectors.

802.11ac and MU-MIMO is coming at a good time as expectations and use of WiFi are soaring; a trend that will continue as the Internet of Things and wearable devices gain traction. If rumours are correct, the ever growing bandwidth needs of static and moving images will soon be added to by the demands of holographic displays. Obviously with all this data aggregating over WiFi to Ethernet we need 10 GbE at a sensible price soon.

WiFi networks and crowdsourcing an IT strategy

In a recent survey 1 in 3 British workers say they rely on WiFi to do their jobs effectively, and 61% of those believe their home WiFi to be better than their workplace WiFi. That survey of 2,004 randomly selected British wireless-reliant UK workers aged 18+ was commissioned by Aerohive Networks – a US based maker of premium business grade WiFi equipment. Their report contains a number of observations on productivity problems in the workplace, with unreliable connectivity considered the most disruptive, power cuts as second, and ‘wireless temporarily down’ as third. Aerohive report that “Up to 40% have missed deadlines and opportunities at work due to poor [wireless] connectivity”. This negative experience of WiFi in the workplace relative to the home supports the widely held view that WiFi use in the workplace is led by employees, not by IT department strategists. From this report one might infer that WiFi connectivity in the workplace is behind the expectations and needs of some employees to work as productively as they would like.

Modern mobile working practices are more typical in younger people. It is probably significant that they have a more technologically aware mind-set, along with higher expectations of their working environment developed in technologically rich educational environments. Recently we upgraded WiFi in some student accommodation. While investigating issues with networks, two students in a common area both using WiFi were asked if they also used a wired connection. Only one of the two did, even though a laptop with a port for a wired connection was being used by the one that only used WiFi. Obviously this is a vanishingly small sample, but this scenario is typical, and there are two important points to draw from it. Firstly, both students were spending some time working in a communal area using WiFi, but that was their choice, not a requirement. Secondly, one did not even take the trouble to use a wired connection when it was available and provided a better service – the reason we were there. Mobility is at least in part about a more social and collaborative style of working. It allows people to take what they are doing with them. They are controlling the technology rather than the technology controlling them. In science fiction movies nothing is ever plugged in, everything is wireless because that is how we like to see ourselves, with freedom to move and in control of powerful technology. In problem scenarios in science fiction technology takes control, even if it is wielded by other people. Wireless connectivity then is an essential enabler of expectations in working practices, and currently wireless connectivity is dominated by WiFi.

A recent webinar by LogMeIn reported on their survey of almost 1400 IT and non-IT professionals globally concerning modern trends in IT that could be collectively described as crowdsourcing an IT strategy. They simplify their findings into four macro-IT trends:

Firstly – use of personal devices for business; the so called bring your own device (BYOD) trend. Employees chose the technology and IT departments provided WiFi connectivity. This was the start of significant employee contributions to the IT strategy, i.e. crowdsourcing the IT strategy.

Secondly – an empowered, connected, and mobile workforce. These employees (who as discussed above are generally younger) expect mobility and ubiquitous wireless connectivity. This group are probably the strongest drivers of WiFi expectations in the Aerohive Networks survey above.

Thirdly – applications sourced and managed by employees; the so called bring your own application (BYOA) trend. Employees report they do not always feel the need to seek the approval of the IT department, particularly to address problems localised to their small groups and themselves. This has resulted in a strong move away from enterprise grade software to the cloud ‘app’ based approach (cloud based processing and storage) which has perceived advantages described in terms like convenience, ease of use, agility, speed, less hassle, and flexibility. However, this piecemeal approach has no overarching strategy and little or no appreciation of broader consequences.

Fourthly – business data is increasingly in the cloud. A major advantage of the cloud is location anonymity, but that can also be a concern for some data.

IT professionals see the consequence of these four macro trends as a less secure and controlled IT world, with 42% expecting this trend to continue, and 35% expecting it to remain at about the same level. The main concern of 54% of IT professionals is a lack of security of business data in the cloud. The survey also indicated that 29% of IT departments monitor and modulate use of apps, accepting its inevitability but trying to make use of its advantages; 39% broadly ignore it, not yet knowing how to react; and 30% are actively suppressing use of apps not sanctioned by the IT department. This last reaction is despite strong anecdotal evidence that employee productivity is improved by these four trends.

We can see from these two surveys that IT strategies in the workplace are now partially emerging from employee decisions. At this time no coherent response has been established among IT professionals to crowdsourcing of IT strategy. However it is accepted that a strong WiFi network is a key enabling technology for the modern mobile working practices expected by an empowered, connected, and mobile workforce. Likely the way forward will be found in technologies being developed to modulate these trends so as to gain the best from them while minimising problems. Certainly, while it still possible the old arrangement of IT departments totally controlling IT use and strategy in the workplace are looking increasingly outdated and likely to hold back productivity.

‘Bring your own access’ will accelerate the trend for IT strategy crowdsourcing. Personally controlled mobile Internet connectivity can circumvent corporate Internet connectivity, so IT departments will then be unaware of the data moving in and out of the business. As data prices fall, coverage and speeds improve, and employees become more technologically enabled, this trend will accelerate.