Tag: WPA3 wireless network security

Article (German language / Deutsche Sprache)

Deutsche Telekom Speedport Pro Plus – a DSL modem router that uses Wi-Fi 6

Telekom Speedport Pro Plus: Erster DSL-Router mit Wi-Fi 6 (Telekom Speedport Pro Plus First DSL router with Wi-Fi 6) | Computer Bild

From the horse’s mouth

Deutsche Telekom

Speedport Pro Plus: the premium router for Wi-Fi 6 networks (Press Release)

My Comments

Interest still exists in DSL-based WAN technology especially in VDSL-based fibre-copper setups like fibre-to-the-basement or fibre-to-the-cabinet / fibre-to-the-node. Here this is to utilise existing telephone cabling between the fibre-copper point and the customer’s premises while it is worth it to keep this cable in use.

But Deutsche Telekom have offered to their German market the SpeedProt Pro Plus DSL modem router which is the first of its kind for that market to have Wi-Fi 6 (802.11ax) for the Wi-Fi segment. For network security, this router works to the WPA3 security standards for Wi-Fi networks, and it can support meshed operation with Deutsche Telekom’s Speedport equipment. It is answering a reality that an increasing number of Wi-Fi client devices like smartphones, tablets and laptops are being equipped with Wi-Fi 6 wireless networking.

The use of Wi-Fi 6 network technology is being seen as very important within Europe where most people who live in the cities live in apartments. It also will underscore for countries like Australia where apartment dwelling within urban areas is gaining acceptance.

This device has 12 antennas compared to the AVM Fritz!Box 7590 having eight antennas. This allows for higher local-network-level throughput and increasingly-robust operation. There is also for Gigabit Ethernet connections for the local network and a Gigabit Ethernet connection as an alternative Internet connection. That is important for fibre-to-the-premises connections or fibre-copper setups implementing cable-TV or Ethernet technology and dependent on an external modem.

As is the trend nowadays with European-made home-network routers, the Telekom Speedport Pro Plus has a VoIP endpoint including a fully-featured DECT cordless-telephone base station. This device supports smart-home functionality for smart-home peripherals that work according to Wi-Fi, Zigbee or the European favourite technology that is DECT-ULE. That is part of their Magenta SmartHome platform that they are offering within Germany.

This is an example of Wi-Fi 6 coming to a carrier-supplied modem router and proving its case with Internet subscribers who stick with the equipment offering that their telco or ISP provide. Who knows when your local telco or ISP will offer their service with Wi-Fi 6 equipment in tow?

Article – French language / Langue Française

A firmware update will give WPA3 Wi-Fi security to the Freebox Révolution and newer Freebox devices

Mise à jour du Freebox Server (Révolution/mini/One/Delta/Pop) 4.2.0 | Freebox.fr Blog

My Comments

Free.fr have pushed forward the idea of using a firmware update to deliver the WPA3 Wi-Fi network security standard to recent Freebox Server modem-routers that are part of their Freebox Internet service packages.

This is part of the FreeOS 4.2.0 major firmware update which also improves Wi-Fi network stability; implements QR-based device enrolment for the Wi-Fi network along with profile-driven parental control. It will apply to the Freebox Révolution which I see as the poster child of a highly-competitive French Internet service market and descendent devices like the mini, one, Delta and Pop.

The WPA3 functionality will be configured to work in WPA2+WPA3 compatibility mode to cater for extant WPA2 client devices that exist on the home network. This is because most home-network devices like printers or Internet radios won’t even have the ability to be updated to work with WPA3-secured networks.

At the moment, Free is rolling out updates to their mobile apps to support WPA3 on the mobile operating systems. It is most likely until Google, Apple and mobile-phone vendors offer WPA3 “out-of-the-box” with their smartphone and tablet platforms.

What I like of Free’s software-driven approach is that there is no need to replace the modem-router to have your network implement WPA3 Wi-Fi network security. It is very similar to what AVM did to enable distributed Wi-Fi functionality in a significant number of their FritzBox routers and other devices in their existing home-network product range where this function was part of a firmware upgrade.

It is avoiding the need for customers to purchase new hardware if they need to move to WPA3 network security and I would see this as a significant trend regarding European-designed home-network hardware where newer network capabilities are just a firmware update away.

Articles

A QR code and a configuration app could be the way to get your Wi-FI network going or add a device to that network

From the horse’s mouth

Wi-Fi Alliance

Wi-Fi Easy Connect (Product Page)

My Comments

The Wi-Fi Alliance has released as part of its WPA3 update for wireless-networks security the Wi-Fi Easy Connect protocol for onboarding new devices to a Wi-Fi network segment. It will work with extant WPA2 network segments as well as newer WPA3-compliant segments which offers the chance for existing Wi-FI devices to support this technology. That is alongside the ability for device manufacturers and software / operating-system developers to meld it in to their existing products using new code.

It is intended for onboarding devices that have a limited user interface including onboarding Internet-capable “white goods” and “backbone” devices like fridges or heating / cooling equipment to your Wi-Fi network. It is currently being seen as an alternative to the push-button-based WPS configuration process for devices that don’t have much in the way of a user interface. For Android smartphone users, much of this process will be similar to using a printed QR code to “onboard” your smartphone to an existing Wi-Fi wireless network.

What is it about?

QR codes like what’s used on this poster will be part of configuring your Wi-Fi wireless network

The main goal with the Wi-Fi EasyConnect standard is to permit a device with a rich user interface like a laptop, tablet or smartphone running suitable configuration software to pass configuration information to other devices that have a limited user interface. This can be facilitated with an independent configuration app or function that is part of the device’s operating system. Or it could be to allow configuration through the access point using its Web-based management user interface or a management app supplied by the access point’s manufacturer.

In all cases, the software that looks after the configuration aspect is described as a configurator. Access points or client devices that want to be part of the network are described as “enrollee” devices.

Smartphones will become part of your Wi-Fi network’s setup or device-onboarding process

It can be feasible for one device to assume the role of a configurator or enrollee. An obvious example would be a computing device like a laptop, tablet or smartphone being able to come onboard an existing Wi-Fi network then you using that same computing device to bring another device like a network-capable fridge on board. Or you could bring a Smart TV or set-top box on-board to your Wi-Fi network using Wi-Fi Easy Connect but it then has the ability to be a “set-up point” for smartphones or tablets who want to join your Wi-FI network.

There are different ways of “associating” the enrollee device with the configurator device but it is primarily about making both devices know that they are trusted by each other.

The main method would be to use a QR code.that is on a sticker or card associated with the device or shown on the device’s display if this display is of the bitmapped graphical kind or can connect to a TV or monitor. Then the configuration device would scan this QR code if it is equipped with a camera.

Another option that is put forward is to use a text string written on a card or shown on a display and this would be used for configuration devices not equipped with a camera. This kind of situation may come in to its own if you are running a configuration program from a regular computer that isn’t equipped with a functioning Webcam.

.. as will laptops, Ultrabooks like this Dell XPS 13 and tablets

The Device Provisioning Protocol standard that is what the Wi-Fi EasyConnect feature is based on supports the use of NFC “touch-and-go” or Bluetooth Low Energy wireless link as another way to interlink a configuration device and an enrollee device during the setup phase. Both these technologies could work well with smartphone-centric applications, wireless speakers, connected building-management technology and the like. But these haven’t been placed as part of the certification testing that Wi-Fi Alliance has for the EasyConnect standard.

Once the initial information is exchanged between the devices, both devices will establish a separate secure Wi-Fi link with each other. Then the configuration software on one of the devices will use this link to pass through the parameters necessary to allow the enrollee device to connect with the extant Wi-Fi network. The whole configuration data-exchange is secured using asymmetrical public-key cryptography with the public key obtained during the initial setup process. Then that device hunts for, discovers and connects to the newly-programmed network.

There is the ability to use this same setup with an access point to set it up to work with an extant network or to create a new network. The latter situation would most likely be based around accepting a machine-generated ESSID and password or allowing the user to enter an ESSID and/or password. On the other hand, the previously-connected Wi-Fi networks list that an operating system maintains could be a data source for configuring a Wi-Fi device to a particular extant network using EasyConnect.

From the FAQs that I had read on the Wi-Fi Alliance Website, the Wi-Fi EasyConnect protocol allows for a single configuration program to configure multiple enrollee devices at once. Here, it is to facilitate situations where you are onboarding many IoT devices at once or are creating a new Wi-Fi network with new credentials.

But it doesn’t support the ability to onboard a single Wi-Fi client device to two Wi-Fi networks at once like your main network and a hotspot / guest network. Instead you have to repeat the Wi-Fi EasyConnect procedure including scanning the QR code for each network you want a device to associate with. This is so you can have greater control over what networks your devices are to associate with, but it can be of concern if you have a separate Wi-Fi network segment with distinct ESSID (network name) linking to the same logical network such as when dealing with a dual-band network with separate network names for each band.

What needs to be done

Personally, I would like to see Wi-Fi EasyConnect configuration functionality baked in to desktop and mobile operating systems including Apple’s operating systems rather than be separate programs. This avoids the need to find, download and install separate EasyConnect apps from your platform’s app store or loading a computer or smartphone with too many apps. But it could encourage other software developers to build improved Wi-Fi EasyConnect configuration apps that may, perhaps, suit particular user needs like asset control in the business-computing context.

I would also encourage the idea of maintaining WPS-PBC push-button pairing as an alternative method to Wi-Fi EasyConnect for onboarding Wi-Fi devices. This is more so for those devices that have a limited or no user interface and the goal is to quickly onboard a device without a rich user interface like a printer to a Wi-Fi router or access point.

Similarly, the use of NFC or Bluetooth as a legitimate certification option for onboarding Wi-Fi devices has to be encouraged and underscored through the life of this standard. Here, I would prefer that smartphones or tablets equipped with NFC and / or Bluetooth be tested to be compliant with the NFC and Bluetooth aspects of this standard.

There also has to be the ability with Wi-Fi EasyConnect to onboard a Wi-Fi network device with a limited user interface to an enterprise-grade Wi-Fi network that uses individual usernames and passwords. This is important for “Internet-Of-Things” devices that will increasingly be part of these networks.

Conclusion

Wi-Fi EasyConnect leads to another way of onboarding a Wi-Fi network device or access point using another device equipped with a rich user interface and can apply across all small-network setups.