Security features when connecting to wireless networks
All Apple platforms support industry-standard Wi-Fi authentication and encryption protocols, to provide authenticated access and confidentiality when connecting to the following secure wireless networks:
WPA2 Personal
WPA2 Enterprise
WPA2/WPA3 Transitional
WPA3 Personal
WPA3 Enterprise
WPA3 Enterprise 192-bit Security
WPA2 and WPA3 authenticate each connection and provide 128-bit AES encryption to help ensure confidentiality of data sent over the air. This grants users the highest level of assurance that their data remains protected when they’re sending and receiving communications over a Wi-Fi network connection.
WPA3 support
WPA3 is supported on the following Apple devices:
All iPhone models starting with iPhone 7 or later
All iPad models starting with iPad (5th generation) or later
All Mac computers (late 2013 or later, with 802.11ac or later)
All Apple TV models starting with Apple TV 4K (1st generation) or later
All Apple Watch models starting with Apple Watch series 3 or later
Apple Vision Pro
All HomePod models
Newer devices support authentication with WPA3 Enterprise 192-bit security, which includes support for 256-bit AES encryption when connecting to compatible wireless access points (APs). This encryption provides even stronger confidentiality protections for traffic sent over the air. WPA3 Enterprise 192-bit security is supported in all iPhone 11 models or later, all iPad models starting with the iPad (7th generation), and all Mac computers with Apple silicon.
WPA3 R3
The R3 WPA3 Personal update (WPA R3) was launched in order to enhance the security and privacy of Wi-Fi, with a focus on certain handshake vulnerabilities. On Apple platforms, the following WPA3 R3 features are supported:
Transition Terminated Indication
Hash-To-Element (H2E) Support and H2E Fast Transition
Mitigation for Group Downgrade Attacks
Anticlogging Token Container Element
These improvements target protection against downgrade attacks (for example, Transition Terminated Indication) and password element generation (for example, the use of Hash-To-Element, which uses a non-iterative algebraic algorithm to derive the secret key, an improvement to the “Hunt-and-Peck” method). These WPA3 R3 features were introduced in iOS 16, iPadOS 16, macOS 13, and tvOS 16, and are supported on the following Apple devices:
All iPhone models starting with iPhone 11 or later
All iPad models from late 2020 or later
All Mac computers from late 2020 or later
All Apple TV models starting with Apple TV 4K (2nd generation) or later
Protected Management Frame support
In addition to protecting data sent over the air, Apple platforms extend WPA2 and WPA3 level protections to unicast and multicast management frames through the Protected Management Frame (PMF) service defined in 802.11w. PMF support is available on the following Apple devices:
All iPhone models starting with theiPhone 6 or later
All iPad models starting with theiPad Air 2 or later
All Mac computers (late 2013 or later, with 802.11ac or later)
All Apple TV models starting with theApple TV HD or later
All Apple Watch models starting with the Apple Watch series 3 or later
Apple Vision Pro
All HomePod models
With support for 802.1X, Apple devices can be integrated into a broad range of RADIUS authentication environments. 802.1X wireless authentication methods supported include EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, and PEAPv1.
Platform protections
Apple operating systems protect the device from vulnerabilities in network processor firmware. This means that network controllers with Wi-Fi have limited access to Application Processor memory. Each network processor is on its own isolated PCIe bus. An Input/Output Memory Management Unit (IOMMU) on each PCIe bus further limits the network processor’s DMA access to only memory and resources containing its network packets and control structures.
Deprecated protocols
Apple products support the following deprecated Wi-Fi authentication and encryption protocols:
WEP Open, with both 40-bit and 104-bit keys
WEP Shared, with both 40-bit and 104-bit keys
Dynamic WEP
Temporal Key Integrity Protocol (TKIP)
WPA
WPA/WPA2 Transitional
These protocols are no longer considered secure, and their use is strongly discouraged for compatibility, reliability, performance, and security reasons. They are supported for backward compatibility purposes only and may be removed in future software versions.
It’s recommended that all Wi-Fi implementations be migrated to WPA3 Personal or WPA3 Enterprise, to provide the most robust, secure, and compatible Wi-Fi connections possible.