Wi-Fi 6E is the most secure wireless standard ever, but making the wrong implementation decisions or not understanding its risks will negate that advantage. Credit: Metamorworks / Getty Images Wi-Fi 6E is a technical extension of the Wi-Fi 6 standard to deliver improved Wi-Fi capacity, less interference, and higher throughput. Introduced in January 2021 by the Wi-Fi Alliance, Wi-Fi 6E allows for an increased frequency band of 6 GHz, providing up to 1,200 MHz of additional spectrum compared to Wi-Fi 6.In April 2020, the FCC voted to open 6 GHz for unlicensed use, meaning that electrical consumer products such as phones, tablets, laptops, and routers could benefit from the enhanced Wi-Fi performance. Commenting last year, FCC chairman Ajit Pai said, “I expect that 6 GHz unlicensed devices will become a part of consumers’ everyday lives. And I predict the rules we adopt today will play a major role in the growth of the internet of things, connecting appliances, machines, meters, wearables, smart televisions, and other consumer electronics, as well as industrial sensors for manufacturing.”“This change in how Wi-Fi operates is likely to alter the way people use Wi-Fi networks, with 6E allowing more devices to connect at greater speeds,” says Paul Holland, principal research analyst at the Information Security Forum (ISF). “Until now, there were limitations on some of the heavier network related devices like virtual reality, but with more connectivity available, a whole raft of new devices will enter the market as manufacturers look to make money from this newer capability.” As Wi-Fi usage increases, CISOs will need to be aware of its benefits and challenges. These are the most important for now: Wi-Fi 6E is more secure than previous versionsSpeaking to CSO, David Coleman, director of wireless networking at Extreme Networks, adds that, in several ways, Wi-Fi 6E will be more secure than previous generations of Wi-Fi because the Wi-Fi Alliance is mandating WPA3 security certification for all Wi-Fi 6E devices, with no backward compatibility support for WPA2 security. “In effect, this means that Management Frame Protection (MFP) is required in the 6 GHz band and Simultaneous Authentication of Equals (SAE) replaces pre-shared key (PSK) security. This is an important improvement, as SAE is resistant to the offline dictionary attacks that can plague PSK authentication.”The Wi-Fi Alliance is also requiring Enhanced Open certification support and will mandate support for Opportunistic Wireless Encryption (OWE) in 6 GHz. “This means there will be no more ‘open’ networks and encryption will always be used to protect user data,” says Coleman. Wi-Fi 6E risks: Rush to market might introduce vulnerabilitiesAs with any emerging technology, the adoption of Wi-Fi 6E has the potential to create new cybersecurity risks. “In the rush to develop 6E-enabled devices, manufacturers may neglect security for speed to market, introducing vulnerabilities if no security mechanisms are included or if there is no path to update the new 6E-enabled devices,” warns Holland. “Organizations need to be more aware of the potential risks posed by the release of Wi-Fi 6E and the implementation of devices that will come as part of this upgrade of networking infrastructure. The fact that organizations have been caught out in the past by Wi-Fi, 4G and 5G shows lessons are not being learned, and the level of awareness is still not where it should be.”CISOs must therefore recognize, communicate, and mitigate the organizational cybersecurity risks posed by Wi-Fi 6E. Which should be of most concern to security leaders? Below are three security threats that should be of primary focus.1. New 6 GHz rogue devicesThe buzz phrase in Wi-Fi security has always been the rogue access point (AP), an open and unsecured gateway that inadvertently offers access to a company’s wired infrastructure, says Coleman. “A wireless rogue device can be used for data theft, data destruction, loss of services, and other attacks. Typically, hackers aren’t responsible for installing rogue APs. More often than not, it’s well-meaning employees who don’t realize the consequences of their actions.”As new consumer-grade Wi-Fi 6E APs and routers continue to be made available in the marketplace, they are prime rogue device candidates because today’s wireless intrusion prevention system (WIPS) solutions are primarily focused on monitoring for and protecting against 802.11-based wireless attacks and threats on the 2.4 GHz and 5 GHz frequency bands — not in the 6 GHz band. “Vendors that offer APs with tri-frequency sensor capabilities in their APs will take the lead in 6 GHz rogue detection,” Coleman adds.2. Wi-Fi 6E lacks backward compatibility with WPA2Existing Wi-Fi clients will never be able to connect to 6 GHz, and so enterprises will need to implement different levels of security for different frequency bands, something that is likely to create significant administrative challenges. “WPA3 will be used in 6 GHz, but WPA2 will remain prevalent in the 2.4 GHz and 5 GHz bands for a very long time,” Coleman says.Issues with backward capability are likely to cause security headaches for CISOs, Holland agrees. “The new technology will lead to manufacturers leaving older Wi-Fi devices out of their update process when vulnerabilities are discovered, meaning they will no longer receive patches. This will leave some internet of things devices to be forgotten by manufacturers and maybe even by the organizations themselves, creating the risk of having unmonitored and unpatched devices on corporate networks.” 3. OWE Wi-Fi 6E vulnerabilities“Many organizations will choose to use OWE in 6 GHz even though the Enhanced Open certification meets only half the requirements for comprehensive Wi-Fi security,” Coleman says. “OWE provides encryption and data privacy, but there is no authentication whatsoever, creating the potential for hijacking and impersonation attacks. WPA3-Personal or WPA3-Enterprise are better options because authentication is mandated.”Addressing Wi-Fi 6E cybersecurity threatsOrganizations will need to engage with their security teams with regard to the advent and incorporation of Wi-Fi 6E. Coleman and Holland cite five important steps enterprises must take to mitigate the risks:Upgrade WIPS solutions to full 6 GHz monitoring capabilities, even if you are not yet deploying Wi-Fi 6E. Look for WIPS solution sensors that have 6 GHz radios and offer tri-frequency band scanning from a single radio.Avoid OWE in the 6 GHz band and use WPA3-Personal (SAE) or WPA3-Enterprise (802.1X).Ensure that security leaders and IT teams are educated about this issue and take it seriously. “Don’t get caught flat-footed,” says Coleman.Use network segmentation to ensure that 6E-enabled routers and devices are safely implemented across an enterprise. “This may mean only purchasing devices with a recognized support contract (for patches and problems), as well as putting new devices through all the due diligence processes that are part of the procurement lifecycle,” says Holland. “This will ensure that any manufacturer or vendor is linked to an organization’s supply chain management.”Consider a zero-trust strategy, as it can assist in protecting each device via protect surfaces and help by supporting strong authorization/authentication protocols, limiting lateral movement following a breach of a 6E device.Wi-Fi 6E is the most exciting thing to happen to Wi-Fi in nearly 20 years, says Coleman. “Whilst people may well be overlooking the practical realities and challenges of actually implementing this technology, 2021 is likely going to be a breakthrough year for Wi-Fi 6E in the enterprise, emerging as a major focus for IT teams over the next several months.” Related content news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security news analysis Biden delivers updated take on security for critical infrastructure Building on previous efforts, the Biden administration's new National Security Memorandum reflects a more modern approach to protecting US critical infrastructure, giving CISA a better-defined and expanded role as the agency coordinating everyth By Cynthia Brumfield May 02, 2024 7 mins Government Threat and Vulnerability Management Critical Infrastructure news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe