A Field History of Wi-Fi Security

When 802.11 shipped in 1997 it carried two ideas about security, and both have aged badly. The first was that some networks would simply be open: no key, no authentication, every frame in cleartext for anyone in radio range. That was a deliberate choice for guest access and convenience, and it is still everywhere, in the coffee shop and the airport lounge. The honest fix did not arrive for two decades. Opportunistic Wireless Encryption (OWE), defined in RFC 8110 in 2017 and branded Wi-Fi Enhanced Open, finally gave open networks a Diffie-Hellman key exchange so that a passive listener could no longer read traffic, even without a password. It encrypts, but it still does not authenticate the access point, so a cloned SSID remains as convincing as the real one. See Open networks for what that cleartext world looks like on the wire.

The standard's second idea was Wired Equivalent Privacy (WEP), meant to make the air as private as a cable. It used the RC4 stream cipher with a per-packet initialization vector (IV) prepended to a static shared key. The flaw was structural. The IV was only 24 bits, so on a busy network it repeated within hours, and RC4 leaked information about the key whenever certain weak IVs appeared. In 2001 a statistical key-recovery technique (the FMS attack) showed the key could be reconstructed just by collecting enough frames, with no need to break RC4 itself. Later refinements (KoreK, then PTW) dropped the requirement to tens of thousands of IVs, recoverable in minutes once you replay ARP to force traffic. WEP was dead on arrival as real security; it survives only as a teaching artifact. Walk through the collapse on the WEP page.

WEP's break was a crisis because the replacement, the full 802.11i amendment, was still years from ratification, and millions of shipped radios could not run a new cipher. The Wi-Fi Alliance's answer in 2003 was WPA, built around the Temporal Key Integrity Protocol (TKIP). TKIP was engineering under constraint: it kept RC4 so old hardware could run it as a firmware update, but wrapped it in per-packet key mixing, a 48-bit sequence counter to kill replay, and a message integrity check called Michael to replace WEP's forgeable CRC-32. It bought time and it worked, but it was always a bridge. Michael was weak enough that a 2008 plaintext-recovery technique, refined over the next year, could decrypt short packets and inject a few forged frames against a TKIP network. TKIP is legacy now and should never be chosen on purpose; the WPA (TKIP) page covers why.

802.11i was ratified in 2004, and the Wi-Fi Alliance certified it as WPA2. This is the version that actually held. It replaced RC4 and TKIP with CCMP, AES-128 in Counter mode with CBC-MAC, giving real confidentiality, strong integrity, and replay protection from a packet-number counter. CCMP has never been broken as a cipher, and that is why WPA2 ran the world for well over a decade and still backs most networks today. Its one durable weakness lives not in the cipher but in the four-way handshake: the frames that prove both sides know the pre-shared key also contain everything needed to test passphrase guesses offline. Capture one handshake and the network's security collapses to the strength of its passphrase. WPA2-Personal is the highest-value lab in this manual; start at WPA2-Personal.

In 2006 the Wi-Fi Alliance tried to make all of this usable by non-experts with Wi-Fi Protected Setup (WPS), letting a user join by typing an eight-digit PIN or pushing a button. The PIN design was the disaster. The access point validated the two halves of the PIN independently, and the eighth digit was a checksum, so the real search space collapsed from one hundred million to about eleven thousand guesses, recoverable online in hours where rate limiting was weak or absent. Worse, a 2014 offline variant (the Pixie Dust attack) exploited access points whose chipsets generated the WPS secret nonces with a weak random number generator, cracking the PIN in seconds with no online guessing at all. A patched access point with strong nonces resists Pixie Dust and forces the slower online brute force. See WPA2 + WPS for both paths.

For thirteen years the assumption was that WPA2's handshake, unlike the passphrase behind it, was sound. In 2017 the Key Reinstallation Attack (KRACK) showed otherwise. By capturing and replaying a handshake message, an attacker could trick a client into reinstalling an already-in-use session key, resetting the nonce and packet counter that CCMP and TKIP rely on never to repeat. Reused nonces leak keystream, and under TKIP the damage extended to frame forgery. KRACK was a flaw in the 802.11i state machine, not the cipher, so it hit essentially every correct implementation at once. It was disclosed as a family of CVEs, the canonical one being CVE-2017-13077. Clients and access points were patched within months, and the attack drove real adoption of Protected Management Frames (PMF, 802.11w), which authenticate management frames so deauthentication can no longer be spoofed freely.

A year later came a quieter but practically important result. Researchers showed that on access points using 802.11r fast roaming, and on many others besides, the PMKID (a value derived from the pre-shared key) is present in the very first frame the access point sends, the first message of the four-way handshake. That meant an attacker no longer needed a connected client or a deauthentication burst to capture crackable material. You could request it from the access point directly, harvest the PMKID, and grind it offline against a wordlist exactly as you would a captured handshake. It changed no cryptography, but it removed the one inconvenient prerequisite of the WPA2 dictionary attack. Modern access points withhold the PMKID by default; the WPA2-Personal lab exposes it on demand so you can practice the clientless capture.

Every attack to this point shared a root cause for personal networks: the handshake let you guess the passphrase offline. WPA3, certified in 2018, set out to close that door. It replaced the pre-shared-key handshake with Simultaneous Authentication of Equals (SAE), also called Dragonfly, a password-authenticated key exchange standardized in RFC 7664 and folded into the 802.11 standard. SAE proves knowledge of the password without ever transmitting anything an attacker can take home and grind, so a captured exchange yields no offline guesses, and each session derives a fresh key for forward secrecy. WPA3 also makes PMF (802.11w) mandatory rather than optional. See WPA3-Personal for the cipher and the lab.

WPA3 was not magic, and 2019 proved it. A cluster of weaknesses collectively named Dragonblood showed that SAE's strength depended on careful implementation. Several deployed clients and access points derived the password element in variable time, so a timing or cache side channel leaked enough to mount an offline dictionary attack after all, the very thing SAE was meant to prevent (CVE-2019-9494). A separate flaw let a malformed SAE Confirm frame, processed before the expected Commit, crash the access-point daemon in some stacks, a denial of service rather than a key or credential compromise (CVE-2019-9496). These were implementation bugs, not breaks of SAE's design, and they were patched, but they were a reminder that a new protocol's first years are its most fragile. There is also a structural caveat: WPA3-Transition mode runs SAE and WPA2-PSK on one SSID for mixed fleets, and an attacker who suppresses the WPA3 elements can push a capable client back down to WPA2 and its offline crack. See WPA3-Transition.

Not every weakness belongs to one generation. The FragAttacks, disclosed in 2021 from CVEs reserved the year before, were design and implementation flaws in 802.11 frame aggregation and fragmentation that affected nearly every Wi-Fi device regardless of WPA version (CVE-2020-26139). On the enterprise side, the 2024 Blast-RADIUS result (CVE-2024-3596) forged RADIUS responses over UDP via an MD5 chosen-prefix collision, a backend protocol weakness independent of the air interface. The lesson across both: the wireless stack is layered, and a fix at one layer leaves the others standing. The Wireless Attack Catalog maps each attack to the protocols it hits.

The arc is clear in hindsight. Each generation closed the previous one's worst hole and exposed the next. WEP died to its IV; WPA was always a bridge; WPA2's cipher held for a decade while its handshake leaked passphrases; WPS undid all of it for convenience; KRACK and PMKID picked at WPA2's edges; WPA3 finally closed the offline crack, then spent its first year patching Dragonblood. Today the field is mixed. WPA2-Personal still backs most home and small-business networks, WPA3 is the default on new hardware, WPA2-Enterprise carries the corporate world on per-user credentials, and open networks persist with OWE slowly catching on. That is exactly why this range broadcasts all of them: the history is not a museum, it is the live attack surface you will still meet in the field. Pick a chapter from Network Types and stand one up.