Wi-Fi Security | IoT Worker

Wi-Fi Security

Reading time: 6 minute Word count: 1166
Wireless WiFi Security WPA2 WPA3

The log says associated, but the device still cannot send application data. In Wi-Fi, the problem is usually that the security stage has not finished. scan -> authentication -> association only attaches the terminal to a BSS (Basic Service Set). What makes the data plane usable is the key-establishment and key-installation process that follows.

Wi-Fi security ties together password mode, handshake flow, management-frame protection, and compatibility.

The core of Wi-Fi security is establishing a verifiable link, installing keys, and enabling the data plane after basic access is complete.

Where It Sits in the Access Path

In the most common STA -> AP flow, the security stage comes after association and before the data plane:

scan -> choose AP / BSSID -> 802.11 authentication -> association -> security handshake -> data plane ready -> DHCP / DNS -> application traffic

Two common confusions:

  • Association success is not the same as data plane ready
  • Connected to Wi-Fi is not the same as “application traffic can already flow”

Wi-Fi security turns “attached to the AP” into “able to send protected data frames.”

What Wi-Fi Security Solves

Wi-Fi is not a wired switch fabric. The air interface between STA and AP is shared and can be eavesdropped on. The security stage has four jobs:

  • Confirm that both sides are using the same credential context
  • Decide which key will encrypt the data frames
  • Decide how broadcast and multicast traffic should be protected or distributed
  • Prevent replay, tampering, and bad state transitions while the link is being established

If those are not handled, scan, authentication, and association do not mean the data plane is usable.

WPA2 and WPA3

Wi-Fi security changes with the threat model and device capability.

What WPA2 Solved

WPA2-Personal became the default for a long time because it gave a practical answer to three questions:

  • How can home and small networks connect without enterprise authentication?
  • How can a terminal and an AP derive a session key from the same password?
  • How does the data plane become protected after the key is installed?

Strengths:

  • Mature implementation
  • Broad device support
  • Manageable cost for MCUs and embedded devices

What WPA3 Fixes

WPA3-Personal is not just “WPA2 plus some hardening.” It mainly fixes two long-standing problems:

  • How to reduce the payoff of offline brute-force attacks in password-based access
  • How to move management and control-frame protection from “optional” toward a stricter default

WPA3 pushes SAE and PMF closer to the center of the design.

The Security Stage Model

You can split the security stage by role:

  • WPA2-Personal: shared password -> derive PMK -> 4-Way Handshake -> install data-plane keys
  • WPA3-Personal: establish a stronger shared base through SAE -> then do the 4-Way Handshake -> install data-plane keys

In short:

WPA2:
shared password
  -> PMK
  -> 4-Way Handshake
  -> PTK / GTK installation
  -> data plane ready

WPA3:
shared password
  -> SAE
  -> PMK
  -> 4-Way Handshake
  -> PTK / GTK installation
  -> data plane ready

The 4-Way Handshake does not disappear in WPA3. It just sits on top of a different foundation.

Why WPA2 Still Worked

The most common WPA2-Personal success path looks like this:

sequenceDiagram participant STA as STA participant AP as AP Note over STA,AP: Both sides already share a password-derived PMK AP->>STA: Message 1 (ANonce) STA->>AP: Message 2 (SNonce + MIC) AP->>STA: Message 3 (GTK + Install) STA->>AP: Message 4 (Confirm) Note over STA,AP: PTK / GTK installed, data plane ready

This path shows:

  • No enterprise authentication system is required
  • Session-related keys are still derived from fresh random values
  • The unicast and group-multicast planes each get their own key context

But its boundary is also clear:

  • Shared-password mode is sensitive to password quality
  • Once a handshake is captured, weak passwords can still be attacked offline
  • Some management-frame protections have long been optional in real deployments

So WPA2 is not “broken.” Its default threat model no longer lines up perfectly with today’s deployment reality.

Why WPA3 Puts SAE First

The key change in WPA3-Personal is not that the 4-Way Handshake became more complicated. It is that the password-based foundation changed. The common path is:

sequenceDiagram participant STA as STA participant AP as AP STA->>AP: SAE Commit AP->>STA: SAE Commit STA->>AP: SAE Confirm AP->>STA: SAE Confirm Note over STA,AP: PMK formed AP->>STA: 4-Way Handshake Message 1 STA->>AP: Message 2 AP->>STA: Message 3 STA->>AP: Message 4 Note over STA,AP: data-plane keys installed

SAE changes the relation between the password and the session key so that offline guessing is no longer as straightforward as it is in WPA2-PSK.

For WPA3, look at both the later EAPOL packets and the earlier SAE Commit / Confirm exchange.

PMF

Many field compatibility problems eventually point to PMF (Protected Management Frames). It changes whether management frames can be forged or disrupted easily.

In the WPA2 era, PMF was often:

  • Optional
  • Incompletely supported by some devices
  • Not enforced by default on some APs

In WPA3, its role is much more central:

  • The security boundary becomes clearer
  • Compatibility problems become easier to expose

A WPA3-capable device that cannot connect to an AP may be failing PMF negotiation or implementation, not SAE.

Protocol and Compatibility Problems

Real field success is usually decided by protocol flow and device reality working together:

  • Can the chip complete SAE reliably?
  • Do the AP’s RSN IE and PMF announcements match what the terminal expects?
  • After association, is the device actually stuck in SAE or in the 4-Way Handshake?
  • Does the log’s connected mean “associated” or “data plane ready”?

What to Check in Captures and Logs

For Wi-Fi security debugging, use stage, negotiation, and key installation.

Stage Location

First, figure out where the problem stops:

  • Is it before or after association?
  • Is it stuck in SAE?
  • Is it stuck in the 4-Way Handshake?

Once the stage is correct, you can tell whether the issue is capability negotiation, security parameters, or key installation.

Negotiation Content

Check:

  • RSN IE and the announced security capabilities
  • Whether it is WPA2 or WPA3
  • Whether PMF is optional or required
  • Whether both sides agree on the cipher suite and mode

Many problems that look like “the password is wrong” are actually mismatches at the negotiation boundary.

Key Installation

Check:

  • Did the 4-Way Handshake complete fully?
  • After Message 3/4, did the device actually install the keys into the data plane?
  • Does the log’s connected mean association only, or true data-plane readiness?

If this layer is not clear, later DHCP, DNS, and business failures are easy to misread as IP problems.

How to Think About Wi-Fi Security Today

  • Security is the trust chain from access to protected data
  • WPA2 remains usable, but its threat model has limits
  • WPA3 changes both the password attack surface and the management-frame story
  • PMF is part of the access boundary
  • If association is successful but data still does not flow, do not skip the security stage in your diagnosis

Further Reading

References