The WPS PIN Flaw Explained
The WPS PIN is an 8-digit number (108 = 100,000,000 possible values). In theory, brute-forcing it would require up to 100 million attempts. The flaw is in how WPS validates the PIN.
The WPS protocol splits validation into two halves:
- The router first validates the first 4 digits of the PIN (10,000 possibilities) and sends a success or failure response.
- Only after the first half succeeds does it validate the last 4 digits — but the 8th digit is a checksum derived from the other seven, leaving only 3 independent digits (1,000 possibilities).
This two-stage design means an attacker needs at most 10,000 + 1,000 = 11,000 attempts to brute-force the complete PIN — a reduction from 100 million to 11,000. At a rate of one attempt per second (typical with no lockout), this takes around 3 hours. Tools like Reaver and Bully automate this completely.
Once the attacker has the WPS PIN, the router reveals the current WPA2 passphrase as part of the WPS exchange — the passphrase doesn't need to be guessed separately.
Why the Attack Persists
Many routers implement WPS PIN lockout after a certain number of failed attempts — which significantly slows the attack. However:
- Many routers do not implement lockout at all, or reset the lockout timer on reboot.
- The Pixie Dust attack (2014) exploits weak random number generation in some router WPS implementations to recover the PIN in seconds offline — no brute-force required at all.
- Even with lockout, a patient attacker can still succeed over days or weeks.
- Some routers that claim to have WPS disabled in their UI still respond to WPS probe frames in practice — firmware bugs leaving WPS partially active.
WPS Methods Comparison
| WPS Method | How It Works | Vulnerability | Verdict |
|---|---|---|---|
| PIN (Router) | Enter router's printed 8-digit PIN on device | 11,000-attempt brute-force; Pixie Dust | Disable |
| PIN (Client) | Device generates PIN; enter on router admin page | Same protocol flaw | Disable |
| Push Button (PBC) | Press button on router; 2-minute window | Requires physical access; minor | Acceptable if kept disabled by default |
| NFC | Tap NFC-capable device to router | Physical proximity required | Low risk; rarely implemented |
How to Disable WPS
Log into your router admin interface (usually 192.168.1.1 or 192.168.0.1). Look for WPS settings under Wireless, Advanced Wireless, or Security sections. Toggle WPS off and save. The setting name varies by manufacturer:
- ASUS: Wireless → WPS → Disable WPS
- Netgear: Advanced → Advanced Setup → Wireless Settings → Disable WPS
- TP-Link: Advanced → Wireless → WPS → Disable
- Linksys: WiFi Settings → WiFi Protected Setup → Disable
After disabling, verify by scanning with a Wi-Fi analyzer app — WPS-capable networks advertise WPS support in their beacon frames. If the flag is gone, WPS is fully disabled.
What to Do Instead of WPS
Connecting a device without WPS just means entering the Wi-Fi password once. Store the password in a password manager so you have it when needed. For IoT devices that are hard to type on, use your phone as a configuration interface — most smart home apps handle the password entry for you. The one-time inconvenience of typing a password is a minor cost compared to permanent WPS exposure.
Frequently Asked Questions
Does a strong Wi-Fi password protect against the WPS PIN attack?
No. The WPS PIN attack bypasses the Wi-Fi password entirely. Cracking the PIN causes the router to hand over the actual WPA2 passphrase as part of the protocol. A 64-character password provides zero additional protection against WPS PIN brute-force.
Is WPS Push Button (PBC) also vulnerable?
PBC is not vulnerable to PIN brute-force. It requires physical access to press the router button, and the connection window is only 120 seconds. PBC is substantially safer than PIN mode, but disabling WPS entirely is still recommended to eliminate the attack surface completely.