The Evolution of WiFi Encryption: From WEP Fossils to the WPA3 Fortress

Since WiFi signals transmit invisibly through the air, theoretically any neighbor or passerby could intercept your entire internet traffic. The only shield standing between your private data and the public is WiFi encryption.

Since the invention of WiFi in the late 90s, cryptographers and hackers have been engaged in a constant cat-and-mouse game. Every standard was eventually cracked and replaced by a better one. In this guide, we travel through the evolution of WiFi security, explain the technology behind it, and point out where acute dangers still lurk today.

The Dark Ages: WEP (Wired Equivalent Privacy)

Introduced in 1997, WEP was the first attempt to make WiFi as secure as a wired network (LAN). It turned out to be a catastrophic failure.

• How it works: WEP uses the RC4 encryption algorithm. The transmitting and receiving devices share a static key (the password). To avoid encrypting every data packet identically, a so-called Initialization Vector (IV) is attached to the packet.
• The Vulnerability: The IV is extremely short at 24 bits. In a busy WiFi network, these vectors repeat after just a few minutes. An attacker only needs to passively capture data packets until they have collected enough "collisions" (duplicate IVs). After that, the key can be calculated mathematically in seconds.
• Where is it used? Hopefully nowhere anymore! WEP is dead. If you use WEP, you might as well leave your WiFi completely unencrypted. Today, hackers can crack WEP fully automatically using a smartphone app.

The Quick Fix: WPA (Wi-Fi Protected Access)

When the weaknesses of WEP became undeniable in 2003, the industry desperately needed a new standard that could run on existing hardware. WPA was born.

• How it works: WPA uses the TKIP (Temporal Key Integrity Protocol). Instead of using a single static key for the entire network, TKIP generates a new, dynamic key for every single data packet.
• The Vulnerability: Under the hood, WPA still relies on the error-prone RC4 algorithm from the WEP era. Additionally, attacks like the "Beck-Tews attack" were discovered, allowing parts of the encryption to be bypassed.
• Where is it used? WPA is obsolete. Almost all modern end devices (like current iPhones or Windows 11 PCs) completely refuse to connect to WPA-only networks for security reasons.

The Decades-Long Gold Standard: WPA2

Introduced in 2004, WPA2 finally threw the old RC4 code overboard. To this day, WPA2 remains the most widely used standard in the world.

• How it works: WPA2 uses AES (Advanced Encryption Standard), the exact same encryption method used by governments for top-secret documents. The associated protocol is called CCMP. It ensures that packets are encrypted highly securely and their integrity is verified (no one can manipulate the packet in transit).
• The Vulnerabilities: The AES method itself remains uncrackable to this day. The vulnerability lies in the connection setup—the 4-Way Handshake. As we explained in our guide on packet injection, attackers can intercept this handshake. If the chosen password is in a dictionary, it can be cracked offline. In 2017, the KRACK vulnerability also shook the IT world, allowing attackers to force the reinstallation of keys (this was patched via firmware updates on most routers).
• Where is it used? WPA2 is currently still in use in over 90% of all home networks and corporate environments (often as WPA2-Enterprise with a RADIUS server).

The Modern Fortress: WPA3

Introduced in 2018, WPA3 is the answer to all the vulnerabilities that hackers exploited in WPA2.

• How it works: WPA3 bids farewell to the vulnerable 4-Way Handshake and introduces the SAE Protocol (Simultaneous Authentication of Equals), also known as the "Dragonfly Handshake." Both sides (router and end device) prove to each other that they know the password without ever transmitting it through the air (not even in an encrypted form).
• The "Forward Secrecy" Superpower: Even if a hacker were to somehow discover your WPA3 password years later, they cannot retroactively decrypt your previously recorded WiFi traffic. This was still possible with WPA2.
• The Vulnerabilities: WPA3 is mathematically immune to offline dictionary attacks. Anyone wanting to crack the password must try it "live" against the router, which will promptly block the attacker after a few failed attempts. (Early implementation flaws like "Dragonblood" have long since been patched).
• Where is it used? All WiFi 6 and WiFi 6E/7 capable devices support WPA3. It is the current standard for new hardware and should absolutely be enabled in your router.

Personal vs. Enterprise: A Small Difference for Businesses

Both WPA2 and WPA3 are available in two versions:

• Personal (PSK / SAE): All users share the same WiFi password (the standard for home use).
• Enterprise (802.1X): There is no shared password. Every employee logs into the WiFi using their own unique username and password. The router queries a central server (RADIUS) to check if the user is allowed onto the network. This is the gold standard for corporate networks.