DrayTek and WPA3 Wireless Security


Wireless security is ever more important for businesses and homes, as wireless links have become fast enough to match cabled networking with far greater convenience. With that convenience is the risk that wireless networking does not have the physical security of cabling, instead utilising wireless security protocols with strong encryption to protect against unauthorised network access, or eavesdropping on client connections to steal data.

The WPA2 (Wireless Protected Access) standard has been in use since 2004, providing strong AES encryption. Over the years, many vulnerabilities and limitations of the WPA2 protocol have become known, so although it's still comparatively secure, there are specific attacks that are difficult to protect against without compromising functionality, such as the KRACK vulnerability released in 2017.
Because of these issues and the on-going evolution of 802.11 wireless networking, the WPA3 standard has become available from mid 2018.

Wireless Security

WPA3 Security Protocol

WPA3 brings a number of security improvements and design changes that require hardware and software/operating system support, both for wireless clients and wireless access points.

WPA3 still uses strong AES encryption, with 128-bit AES for WPA3-Personal networks and improved 192-bit AES for WPA3-Enterprise networks. It introduces Forward Secrecy to all data being transmitted, so that encrypted wireless packets captured by an attacker, cannot be decrypted and read if they discover the current wireless key.

The key exchange for WPA3-Personal networks, where clients authenticate & connect to the wireless network, changes from "Pre-Shared Key" (PSK) to "Simultaneous Authentication of Equals" (SAE). Flaws in the "PSK" of WPA and WPA2 contributed to many of the vulnerabilities discovered in the WPA2 standard.

The new Simultaneous Authentication of Equals connection method uses the Dragonfly Key Exchange (RFC 7664) protocol. This protects against brute-force attempts to discover the wireless key, either by direct connections to the access point, or by capturing data to determine the key. SAE requires clients to actively connect to the access point to test a key, allowing the access point to be aware of and shut down any attempts to guess a wireless password by brute-force.

Open and Secure Wireless Networks - OWE

WPA3 also introduces a new open and secure connection mode; "Opportunistic Wireless Encryption" (OWE). An OWE wireless network allows clients to connect without a password, ideal for hotspot networks, but the connection between each individual client is uniquely encrypted behind the scenes. Allowing clients to connect easily and communicate securely, without the risk of eavesdropping from other nearby wireless clients .

DrayTek and WPA3

Where it's possible to do so, DrayTek's products will support the new WPA3 wireless standard. This requires the wireless hardware to support the WPA3 standard, so some access points and routers designed before the WPA3 standard was ratified, may not be capable of supporting the new wireless security standard. At present, the products listed in the tables below either support or will support WPA3.

  • If no firmware version is listed, then WPA3 is supported on that model from its launch.
  • Products listed with an asterisk (*) do not support WPA3 with current firmware, but are planned to with the listed firmware version.
DrayTek Vigor Wireless Routers with WPA3
Router ModelWPA3 Support
Vigor 2765 'ac' models tick from firmware 4.3.0
Vigor 2766 'ac' models tick
Vigor 2865 'ac' & 'ax' models tick from firmware 4.2.2
Vigor 2866 'ac' models tick
Vigor 2927 'ac' & 'ax' models tick from firmware 4.2.2
DrayTek VigorAP Wireless Access Points with WPA3
VigorAP ModelWPA3 Support
VigorAP 903 tick from firmware 1.3.7
VigorAP 912C tick
VigorAP 918R series tick from firmware 1.3.2
VigorAP 920R series tick from firmware 1.3.2
VigorAP 960C tick
VigorAP 1000C tick
VigorAP 1060C tick