An Experimental Analysis of the WPA3 Protocol in IoT Devices

Wi-Fi technology plays a crucial role in the advancement of IoT across various domains, from homes to industries. However, the inherent nature of wireless channels, cost constraints, and the limited computational power of IoT devices rise concerns regarding security. In this work, we conducted an experimental analysis to verify how the most common development platforms used in the IoT domain support the new security mechanisms introduced by WPA3. To achieve this goal, we created a testing platform, using the open source programs called Hostapd and FreeRADIUS, that enables both the assessment of basic features of WPA3-Personal and WPA3-Enterprise, and the latest SAE- PK and Transition Disable (TD) functionalities. As test subjects, we selected: a Cypress board, an ESP32-based unit, the Raspberry Pi 4 and the Pi Pico W. The results of our analysis were both disappointing and unexpected. Only the Cypress and ESP32 boards enable WPA3-Personal, while solely the Pi 4 specifically addresses WPA3-Enterprise when directly configured with Wpa-supplicant. Instead, the Pico W completely lacks support for WPA3 and, furthermore, for WPA2-Enterprise. Regarding remaining features, only the ESP32 supports SAE-PK, but we found flaws in TD implementation. These findings are significant as they highlight the limitations and vulnerabilities present in the Wi-Fi module frameworks used by a substantial portion of connected devices available on the market, underscoring the need for further research and improvements in IoT security protocols.