What CISOs need to know about Wi-Fi 6E

Wi-Fi 6E is the most secure wireless standard ever, but making the wrong implementation decisions or not understanding its risks will negate that advantage.

A distributed network of wireless connections spans a cityscape.
Metamorworks / Getty Images

Wi-Fi 6E is a technical extension of the Wi-Fi 6 standard to deliver improved Wi-Fi capacity, less interference, and higher throughput. Introduced in January 2021 by the Wi-Fi Alliance, Wi-Fi 6E allows for an increased frequency band of 6 GHz, providing up to 1,200 MHz of additional spectrum compared to Wi-Fi 6.

In April 2020, the FCC voted to open 6 GHz for unlicensed use, meaning that electrical consumer products such as phones, tablets, laptops, and routers could benefit from the enhanced Wi-Fi performance. Commenting last year, FCC chairman Ajit Pai said, “I expect that 6 GHz unlicensed devices will become a part of consumers’ everyday lives. And I predict the rules we adopt today will play a major role in the growth of the internet of things, connecting appliances, machines, meters, wearables, smart televisions, and other consumer electronics, as well as industrial sensors for manufacturing.”

“This change in how Wi-Fi operates is likely to alter the way people use Wi-Fi networks, with 6E allowing more devices to connect at greater speeds,” says Paul Holland, principal research analyst at the Information Security Forum (ISF). “Until now, there were limitations on some of the heavier network related devices like virtual reality, but with more connectivity available, a whole raft of new devices will enter the market as manufacturers look to make money from this newer capability.”

As Wi-Fi usage increases, CISOs will need to be aware of its benefits and challenges. These are the most important for now:

Wi-Fi 6E is more secure than previous versions

Speaking to CSO, David Coleman, director of wireless networking at Extreme Networks, adds that, in several ways, Wi-Fi 6E will be more secure than previous generations of Wi-Fi because the Wi-Fi Alliance is mandating WPA3 security certification for all Wi-Fi 6E devices, with no backward compatibility support for WPA2 security. “In effect, this means that Management Frame Protection (MFP) is required in the 6 GHz band and Simultaneous Authentication of Equals (SAE) replaces pre-shared key (PSK) security. This is an important improvement, as SAE is resistant to the offline dictionary attacks that can plague PSK authentication.”

The Wi-Fi Alliance is also requiring Enhanced Open certification support and will mandate support for Opportunistic Wireless Encryption (OWE) in 6 GHz. “This means there will be no more ‘open’ networks and encryption will always be used to protect user data,” says Coleman.

Wi-Fi 6E risks: Rush to market might introduce vulnerabilities

As with any emerging technology, the adoption of Wi-Fi 6E has the potential to create new cybersecurity risks. “In the rush to develop 6E-enabled devices, manufacturers may neglect security for speed to market, introducing vulnerabilities if no security mechanisms are included or if there is no path to update the new 6E-enabled devices,” warns Holland. “Organizations need to be more aware of the potential risks posed by the release of Wi-Fi 6E and the implementation of devices that will come as part of this upgrade of networking infrastructure. The fact that organizations have been caught out in the past by Wi-Fi, 4G and 5G shows lessons are not being learned, and the level of awareness is still not where it should be.”

CISOs must therefore recognize, communicate, and mitigate the organizational cybersecurity risks posed by Wi-Fi 6E. Which should be of most concern to security leaders? Below are three security threats that should be of primary focus.

1. New 6 GHz rogue devices

The buzz phrase in Wi-Fi security has always been the rogue access point (AP), an open and unsecured gateway that inadvertently offers access to a company’s wired infrastructure, says Coleman. “A wireless rogue device can be used for data theft, data destruction, loss of services, and other attacks. Typically, hackers aren’t responsible for installing rogue APs. More often than not, it’s well-meaning employees who don’t realize the consequences of their actions.”

As new consumer-grade Wi-Fi 6E APs and routers continue to be made available in the marketplace, they are prime rogue device candidates because today’s wireless intrusion prevention system (WIPS) solutions are primarily focused on monitoring for and protecting against 802.11-based wireless attacks and threats on the 2.4 GHz and 5 GHz frequency bands — not in the 6 GHz band. “Vendors that offer APs with tri-frequency sensor capabilities in their APs will take the lead in 6 GHz rogue detection,” Coleman adds.

2. Wi-Fi 6E lacks backward compatibility with WPA2

Existing Wi-Fi clients will never be able to connect to 6 GHz, and so enterprises will need to implement different levels of security for different frequency bands, something that is likely to create significant administrative challenges. “WPA3 will be used in 6 GHz, but WPA2 will remain prevalent in the 2.4 GHz and 5 GHz bands for a very long time,” Coleman says.

Issues with backward capability are likely to cause security headaches for CISOs, Holland agrees. “The new technology will lead to manufacturers leaving older Wi-Fi devices out of their update process when vulnerabilities are discovered, meaning they will no longer receive patches. This will leave some internet of things devices to be forgotten by manufacturers and maybe even by the organizations themselves, creating the risk of having unmonitored and unpatched devices on corporate networks.”

3. OWE Wi-Fi 6E vulnerabilities

“Many organizations will choose to use OWE in 6 GHz even though the Enhanced Open certification meets only half the requirements for comprehensive Wi-Fi security,” Coleman says. “OWE provides encryption and data privacy, but there is no authentication whatsoever, creating the potential for hijacking and impersonation attacks. WPA3-Personal or WPA3-Enterprise are better options because authentication is mandated.”

Addressing Wi-Fi 6E cybersecurity threats

Organizations will need to engage with their security teams with regard to the advent and incorporation of Wi-Fi 6E. Coleman and Holland cite five important steps enterprises must take to mitigate the risks:

  1. Upgrade WIPS solutions to full 6 GHz monitoring capabilities, even if you are not yet deploying Wi-Fi 6E. Look for WIPS solution sensors that have 6 GHz radios and offer tri-frequency band scanning from a single radio.
  2. Avoid OWE in the 6 GHz band and use WPA3-Personal (SAE) or WPA3-Enterprise (802.1X).
  3. Ensure that security leaders and IT teams are educated about this issue and take it seriously. “Don’t get caught flat-footed,” says Coleman.
  4. Use network segmentation to ensure that 6E-enabled routers and devices are safely implemented across an enterprise. “This may mean only purchasing devices with a recognized support contract (for patches and problems), as well as putting new devices through all the due diligence processes that are part of the procurement lifecycle,” says Holland. “This will ensure that any manufacturer or vendor is linked to an organization’s supply chain management.”
  5. Consider a zero-trust strategy, as it can assist in protecting each device via protect surfaces and help by supporting strong authorization/authentication protocols, limiting lateral movement following a breach of a 6E device.

Wi-Fi 6E is the most exciting thing to happen to Wi-Fi in nearly 20 years, says Coleman. “Whilst people may well be overlooking the practical realities and challenges of actually implementing this technology, 2021 is likely going to be a breakthrough year for Wi-Fi 6E in the enterprise, emerging as a major focus for IT teams over the next several months.”

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations