Does Librem 5 supports WPA3?

Hello,

does Librem 5 supports WPA3? If not is this a software issue on the roadmap or is it a hardware issue?
2022 it would be a huge no go for a security focused device to not support WPA3.
Most security concerns of WPA3 are as far as I know linked to transition mode networks (WPA2+WPA3) and it is time to move to WPA3 only access points and devices and ditch the transition mode for good. So buying a new device in 2022 that prolonges the life of the compromised WPA2 makes little sense.

In case it could be of any interest for a Librem 5 product owner my priorities as a potential user would be:

1. Working WiFi with WPA3
2. Working LTE Internet
3. Working front and rear cameras for Video-Calls and QR-Code scanning.
4. Working messaging apps like Telegram, Signal, Viber ect. and a working sandboxed WhatsApp getting spoofed metadata would be really a killer feature.
   What I don’t care about:
5. MMS - I have never used it in my life. For me it is a waste of time to work on this one.
6. Phone calls via the cell phone network. It is nice to have, but I can live without them if the maimstream messanger apps work with audio and video calls and are sandboxed so that they get no location and sensor data.
   I know it is a phone. But regular phone is not going to be secure anyways. We need the modem for the Intenet.

I am not able to connect to my router with WPA3 on my updated Librem 5 running Byzantium, so I don’t think it’s supported yet. But it works fine over WPA2.

I’m no wifi expert, but I’ve seen routers sold years before WPA3 was designed which got WPA3 in firmware upgrades later on, so I’m guessing that it’s just that the driver does not have support (yet). For example, my old TP-Link Archer C7 running OpenWRT got WPA3 support, even though it was released in 2013. The official firmware for it still does not have WPA3 support, even though it’s still being sold.

Yes, but most of us do need these. Phone calls for communicating with the rest of the world, including emergency services; MMS for communicating with the rest of the world by group texts and media.

In which country do you live? Maybe it is a US thing that people use MMS and phone calls.
I live in Europe and 99% of the time I use messenger apps for the voice calls.
It also has something to do with the fact that in Europe we have a lot of calls to different European countries and this still cost money if done via regular cell phone call while it is free if done via app.
The EU regulations for free roaming apply only when you are abroad, but don’t apply when you want to call for example from Germany to Austria for example when you live in Germany.

SMS is needed due to old 2FA systems.

U.S., correct.

Here, no business, for example your doctor, dentist, bank, hospital, pharmacy, or stores, police, ambulance service, restaurants, etc., would communicate by messenger app. It’s just unthinkable.

For long distance calling, including overseas, yes, it can cost more in the U.S., but there are ways to eliminate or reduce that cost.

SMS and MMS are deeply ingrained into our mobile usage here. Besides actual phone calls, they are a universal form of communication between mobile phones, as email is for computing. And as I said, group messages are all carried by MMS, which makes MMS more than just photo-sharing.

So Purism does have to include these functionalities here, especially phone calls, since the device has been approved by the Federal Communications Commission as a “telephone.”

P.S. Unlimited (or a certain number of) calls and SMS/MMS are frequently included with mobile phone plans. Unlike in other parts of the world, the U.S. carriers try to lock us into fixed, expensive monthly plans when they can, although people do have cheaper options with MVNOs. The carriers also typically deny us the use of data-only SIMs in mobile phones.

I get your arguments and they are totally valid. Especially as Purism is a US company and it must take care of it’s local customers.

I can just share the perspective from Europe.

One could have a normal Android/Apple phone at home for the case that you need to give your phone number to an institution and you could check your missed calls in the evening. And for using some Apps that you can’t get on the librem.

For the case that you really need to call somebody, there are services for that as well. For example Viber-Out.

Usually all friends, colleagues and relatives are going to be available in WhatsApp / Telegram / Viber / Signal. So I really don’t use phone for voice calls anymore.
In some countries actually even all businesses are available in Viber / Telegram -> for example in Ukraine or Russia. If you order something online, they often reconfirm delivery details via Viber/Telegram.

So in Europe, the definition of a phone would be of less importance.
The utility comes from a portable, battery powered device with internet connectivity that is not part of the Apple/Google/Microsoft ecosystem. And unfortunately there are really no good such devices on the market. Everything is Apple/Android or not really portable / poorly supported / underpowered.
It would have been awesome if Librem fills this gap.

The issue is … whether you use it ever is your business but your friends, relatives, colleagues can still send MMS to you. So if it doesn’t work then you don’t receive what they send to you. Maybe you are OK with that.

Some of us have grandparents or older parents for whom MMS is usable but random messenger services would be a bridge too far.

With the understanding that using the cell phone network, for voice calls or for data calls, leaks your (approximate) location.

Same here. It is quite common to receive an SMS to confirm a dentist or doctor appointment, or to give an update on a service outage (e.g. electricity or internet), or for restaurant bookings, …

I think it is relatively impractical for all these entities to use a messenger service because there are too many to choose from. Not only would they have to capture your ID but also the service to which the ID pertains (with all the attendant additional sources of failure) - and they would have to sign up to each messenger service - and their systems would have to be capable of using all those services (need appropriate API).

If you are a suburban dentist or restaurant or …, sorry, that’s non-core business.

Then there is the contentious issue of emergency alerts, which may work slightly differently from country to country, but the basic idea is the same: spam everyone in range of the tower with an urgent message. It may even be in your interest to receive the message. Again, there may be regulatory requirements.

It would be good to get an answer to that question.

As far as I can tell, recent Linux versions support WPA3. So it may mostly be a question of whether the WiFi card in the Librem 5 supports WPA3.

(My WAPs all support WPA3 but I’m configuring to WPA2-only since few if any client devices that I have do also support WPA3.)

In many cases, it’s not that big a deal because you would be running a secure protocol over the top of the WiFi connection anyway. So the main benefit of securing your WiFi is to stop randoms leeching your internet connection.

Tip: Use WPA3-SAE mode on your router. That way, your devices supporting WPA3 are secure while your devices using WPA2 can still connect.

Hello Johan,

Are you sure, you are not talking about transition mode?
SAE is afaik used in the WPA3 only as well.

Nevertheless the true benefit is when you don’t allow the backwords compatibility at all.
I would preffer setting up a separate network with differenr SSID for WPA2 devices.

On my Android device it’s called “SAE transition mode”, but after some googling it seems that you are correct that SAE in itself is something else. I meant transition mode.

According to the articles I’ve read about transition mode, even if they break the password for the SSID, the attacker can’t decrypt packets for WPA3 devices. So personally I don’t find it necessary to have a separate SSID. If they break the password they have local network access though and could potentially utilize other attacks, but personally I have to important devices talking with each other over both WPA2 and WPA3 to have them on different local networks. At least the transition mode secures some connections, but it’s obviously not perfect. My point is, it’s better than only WPA2 at least

That is what I have done for even older devices that don’t even support WPA2 i.e. separate SSIDs so that weaker devices are less able to expose stronger devices.

Yes, I could do that i.e. configure the SSID as WPA3/WPA2. However I think at the time I just wanted to have it working(!), WPA3 support was relatively immature, and perhaps all of my client devices did not support WPA3.

For the record, an iPhone requires iOS 13 for the client to support WPA3 and iOS 15 to be a hotspot supporting WPA3. iOS 15.x is current.

Now if only someone knew whether the Librem 5 supports WPA3 …

That is the second part of my question.
If there is no support, is this a hardware issue?
It can be planned on the roadmap if this is a matter of firmware adjustments. And then it becomes a question of priority.

The Open Source Driver Technical Reference Manual (October 2020) for the WiFi card mentions WPA3. So that is weak evidence that the support is there in the firmware and the driver. That is of course no evidence that it actually works.

Hello Librem 5 Community,

I just tested successfully connecting Librem 5 to a WPA3 network as a client.
I used the application Advanced Network Configuration and created the Network Connection profile there with manually entering the SSID, password, and setting Security as WPA3 Personal.
Afterwards I went to Settings -> WiFi -> selected the new network and connected to it.
It works! And the process is user friendly.

I am very happy, as Librem 5 was my most important device that was not using WPA3 yet.

So the only thing left regarding the topic WPA3 is to make the Librem 5 hotspot to use WPA3. I tried it through Advanced Network Configuration, but unfortunately, when I start the Hotspot, the config gets overwritten.

I did what you described but mine didn’t connect to WP3 secured network.

Does it still work now, and is there any additional info you put in?

Thanks.

No, but WPA3 does work out-of-the-box on Crimson. On Byzantium, I get an infinite looping circle when attempting to connect to the network using the SparkLAN Wi-Fi/Bluetooth module, so the connection settings has to be downgraded to WPA2 for it to work there.