Wi-Fi Protected Setup (WPS) is a legacy feature of routers that was developed two decades ago to make it easier to connect devices to the Wi-Fi network. It worked by avoiding the need to enter the Wi-Fi password on, say, your printer manually. Instead, an 8-digit PIN was used for authentication, providing the Wi-Fi password to the device. While the concept made sense on the surface, the implementation was far from airtight and the feature was quickly exploited by threat actors, brute-forcing networks in a matter of minutes. The industry moved on to better mechanisms like Wi-Fi Easy Connect, but WPS is still included in modern routers to this day. Even though many of your current devices do not support WPS, it can be used to hack your home network if it is enabled on your router. It goes without saying that disable WPS should be one of the first things you do on a new router.
WPS was always designed for convenience, not security
No wonder it was abandoned years ago.
Any feature that trades security for convenience should not exist on your home network. WPS falls squarely into this category, despite still being part of your router. Just because you’re part of your network shouldn’t automatically remove you from suspicion. WPS uses an 8-character PIN that you can enter on your device or router settings to authenticate the connection. This is a convenient way to connect your printer or smart device to the router since you don’t need to type a long password. The problem is that the PIN used by WPS is split into two parts, so it is not actually a single 8 character PIN, but rather a 4 and 3 digit number (one of the digits is a checksum for the PIN). This makes it much easier for attackers to “guess” the PIN.
The PIN is made up entirely of numbers, which further degrades the difficulty of brute force. And it doesn’t end there. The router sends an EAP-NACK message to the client on each attempt, making it clear whether the attempt to guess the first four digits is correct. This leaves only the last three digits, which the attacker can brute force separately. An 8-digit number has 100 million possible combinations, but a 4- and 3-digit number, separately, only needs 11,000 attempts, which was shown to require less than an hour in a 2011 study. WPS does not have a mechanism to limit the number of attempts, which could stop a brute force attack. Android dropped support for WPS in 2019, and Apple never officially supported it to begin with.
Even modern routers may have it enabled by default.
no one is safe
You might think that a technology that proved flawed in 2011 probably wouldn’t exist in modern networking equipment. While the WPA3 encryption standard removed support for WPS, many modern routers still allow a mixed WPA2/WPA3 mode. Your older devices Without WPA3 support, you need to connect to the router using the older WPA2 standard. This means that WPS may still be enabled by default if your router uses WPA2 to connect to certain devices. Smart home devices have also helped keep WPS alive. Since many of them still recommend users to connect via this route, people consider WPS to be an approved and trusted method. To be clear, your devices do not need to support WPS for the exploit to be valid; Attackers simply need WPS to be enabled in the router settings to do their job.
If your router has a physical WPS button, you don’t even need a PIN to connect. Pressing the button opens a brief window within which your device can detect the router and make the connection. Even the PIN is usually printed on the router, so someone physically close to your router can write it down and return later to hack the router from the outside. Both the button and PIN methods are very insecure, so you should head to your router settings and disable WPS right now. It is recommended to search your router’s manual online for instructions on how to do this.
Disabling WPS is Wi-Fi security 101
Along with some other things
Most people never touch their router settings and therefore may not know that WPS is still enabled on their router. It’s one of the first things you should disable in your router settings. Of course, if you haven’t already changed the router’s default user ID and password, change them as soon as possible, along with your Wi-Fi’s SSID and password. The default values are easy to guess and can grant access to anyone. While you disable WPS, you should also get rid of UPnP and WAN management (remote access). UPnP allows any device to open network ports, bypassing the firewall and opening a backdoor that malware can exploit, giving hackers remote access. Remote management allows you to access the router’s management page from outside the home network, which isn’t very useful, but leaves the door open to hackers.
You unknowingly keep your network exposed to security attacks.
WPS should have been dead a long time ago, but it continues to exist on modern routers and devices with older security standards. It’s a convenience feature that didn’t take into account the potential exploits it generated. Although modern routers that support WPA3 don’t need to worry about WPS, many of them support WPA2 in a transitional mode to allow older devices to connect. This means your router could still have WPS enabled, leaving your Wi-Fi unprotected.
