14.4.5 Security In WLANs
Unlike wired Ethernet, where physical access to the cable is normally required before traffic can be intercepted, wireless LAN transmissions propagate through free space and may extend well beyond the walls of a building. Anyone within radio range can potentially detect the transmitted signals. Consequently, WLANs require mechanisms to ensure that only authorized users gain access to the network and that transmitted information cannot be read or modified by unauthorized parties. Modern WLAN security therefore addresses four principal objectives:
- authentication of users and devices;
- confidentiality through encryption;
- integrity of transmitted data; and
- protection against unauthorized access and replay attacks.
Early IEEE 802.11 networks relied on Wired Equivalent Privacy (WEP), which attempted to provide a level of security comparable to a wired LAN. However, weaknesses in the encryption algorithm and key management allowed attackers to recover encryption keys in a relatively short time. WEP is therefore considered obsolete and should no longer be used.
WEP was replaced by Wi-Fi Protected Access (WPA) and subsequently WPA2, which introduced the Advanced Encryption Standard (AES) operating in Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 became the dominant WLAN security standard for many years and continues to provide adequate protection for many existing networks when configured correctly.
The latest generation, WPA3, further strengthens WLAN security by improving authentication, encryption, and protection against common attacks. Instead of relying solely on a pre-shared password, WPA3 replaces the WPA2 four-way handshake used with pre-shared keys by the Simultaneous Authentication of Equals (SAE) protocol. SAE performs a secure password-authenticated key exchange, making it significantly more resistant to password guessing and offline dictionary attacks.
For enterprise networks, WPA3 also supports an optional 192-bit security suite, providing stronger cryptographic protection for organizations with demanding security requirements. Public Wi-Fi hotspots, which traditionally transmitted data without encryption unless users established secure application-layer sessions, may also employ Opportunistic Wireless Encryption (OWE). OWE encrypts traffic between each client and the access point without requiring a shared password, thereby protecting users from casual eavesdropping on open wireless networks.
Another important improvement is resistance to offline password attacks. Under WPA2, captured authentication exchanges could potentially be analysed offline using automated password-guessing techniques. WPA3's SAE authentication significantly reduces this risk because each authentication attempt requires interaction with the access point, making large-scale brute-force attacks much more difficult.
WPA3 also simplifies device provisioning through Wi-Fi Easy Connect, allowing devices with limited user interfaces—such as printers, cameras, and Internet of Things (IoT) devices—to join a secure WLAN by scanning a QR code or using another secure out-of-band mechanism instead of manually entering long passwords.
Finally, WPA3 incorporates protocol improvements that eliminate vulnerabilities associated with the Key Reinstallation Attack (KRACK) discovered in WPA2 implementations. Although many WPA2 devices were subsequently corrected through software updates, WPA3 was designed from the outset to prevent this class of attack.
The principal differences between WPA2 and WPA3 are summarized in Figure 14.11.

WLANs are designed to provide building- or campus-scale connectivity and typically integrate with wired Ethernet infrastructure through access points and distribution systems. At much shorter ranges, however, a different class of wireless technologies is used to interconnect personal devices, sensors, and low-power equipment without requiring full LAN functionality. These technologies—collectively referred to as Personal Area Networks (PANs)—operate with different design priorities, including ultra-low power consumption, simplified protocol stacks, and support for battery-powered devices, and are considered in the next section.
Back to reading