WPS
Wi-Fi Protected Setup
A 2006 Wi-Fi Alliance standard for simplified device pairing — via an 8-digit PIN or push-button — that avoids manually entering the Wi-Fi passphrase. The PIN method has a critical design flaw that allows brute-force attacks in hours. Disable WPS PIN on all routers.
WPS was designed to make it easier for non-technical users to connect devices to Wi-Fi without typing a long passphrase. It has four connection methods: PIN (enter an 8-digit code), PBC (push button on router and device simultaneously), NFC (tap devices together), and USB (transfer credentials via flash drive). PIN and PBC are the common ones. The PIN method's flaw — discovered by Stefan Viehböck in 2011 — is that the router validates the first four digits before the last four, effectively splitting the brute-force problem into two smaller ones. Tools like Reaver and Bully exploit this to crack WPS PINs in hours.
WPS methods compared
| Method | How it works | Security | Recommendation |
|---|---|---|---|
| PIN (router PIN) | Enter 8-digit code from router label | Critical flaw — 11,000 attempts max | Disable immediately |
| PIN (client PIN) | Client generates PIN, enter in router | Weaker — same split-validation flaw | Disable |
| Push-button (PBC) | Press button on router + device within 2 min | Low risk — physical access required | Acceptable if PIN disabled |
| NFC | Tap NFC tag to router | Low risk — physical proximity | Acceptable |
| USB | Copy credentials via USB drive | Low risk — physical access | Rarely implemented |
Why the PIN flaw cannot be fixed
The WPS PIN vulnerability is a protocol design flaw, not an implementation bug. The EAP-NACK response that the router sends after the first four digits fail reveals whether the first half is correct — allowing an attacker to test each half independently. The only fix is to disable PIN mode or add aggressive rate limiting (lock out after 3–5 failed attempts). Many routers implemented rate limiting or lockouts after 2011, but not all — and some implementations have been bypassed. Since the PIN is permanent and printed on the router label, any attacker who learns it (physically or via brute force) retains access even if the Wi-Fi passphrase is changed. Disabling WPS PIN entirely is the only reliable mitigation.
Frequently Asked Questions
Why is WPS PIN mode a security risk?
The router validates the first 4 digits separately from the last 4, reducing the brute-force space from 100 million to ~11,000 attempts. Tools like Reaver crack WPS PINs in 4–10 hours. The PIN is permanent and printed on the router — knowing it reveals the passphrase even after a password change. Disable WPS PIN.
Is WPS push-button (PBC) safe to use?
Much safer than PIN — you press a physical button opening a 2-minute pairing window. No static code to brute-force; requires physical proximity to the router. Acceptable for connecting printers or IoT devices. For best security, disable WPS entirely and use a strong passphrase instead.
How do I check if WPS is enabled on my router?
Log into the router admin panel (usually 192.168.1.1), find Wireless or Advanced Wireless settings, look for a WPS section. Disable WPS PIN mode at minimum — ideally disable WPS entirely. The physical WPS button on the router case will stop working once WPS is disabled in software.
Related Terms
WPA2
WPS provides easy onboarding to WPA2 networks — at the cost of a security hole.
WPA3
WPA3 networks still support WPS — disable WPS PIN regardless of WPA version.
WEP
WPS was designed for WPA2 networks but shares WEP's legacy of weak design.
Full Glossary
All networking terms defined in plain English.