What WPS Is
WPS stands for Wi-Fi Protected Setup. It was created so people could connect devices without typing a long Wi-Fi password. In practice, routers usually support one or both of these modes:
- Push-button WPS: press a button on the router, then connect a device during a short window.
- WPS PIN: enter an 8-digit PIN printed on the router or shown in the admin interface.
The push-button mode is a temporary setup window. The PIN mode is the problem child.
Why the WPS PIN Is Weak: The Math
An 8-digit PIN sounds like 100 million possibilities (108), but the WPS protocol validates it in two separate 4-digit halves rather than as a single 8-digit value. An attacker verifies the first four digits independently — 10,000 possibilities. Once those are confirmed, only the second half remains, which is actually 3 digits plus a checksum digit that is mathematically derived — reducing it to about 1,000 guesses. Total effective search space: roughly 11,000 combinations instead of 100 million. That is a reduction of over 99.98%, turning what sounds like a strong PIN into something an automated tool can exhaust in hours.
Reaver and Bully: The Attack Tools
Reaver and Bully are open-source tools that brute-force the WPS PIN over the air. An attacker within Wi-Fi range sends WPS enrollment requests systematically, iterating through PIN combinations and observing whether the router's response indicates a correct first half or full PIN. Against a router with no rate limiting on WPS attempts, Reaver typically completes a full brute-force in 4–10 hours. Once the PIN is found, WPS hands over the full WPA2/WPA3 passphrase — regardless of how strong that passphrase is.
The Pixie-Dust Attack
The Pixie-Dust attack is a more dangerous variant that exploits weak random number generation in the WPS chip of certain router models. During the WPS handshake, the router generates random nonces (one-time values). Some older or poorly implemented chips use a predictable or low-entropy source for these nonces. Pixie-Dust captures the WPS handshake and attacks the nonce generation offline — on a fast computer, it can crack the PIN in minutes or even seconds, without needing to send thousands of live requests to the router. Routers from several major manufacturers were vulnerable to Pixie-Dust, and many older devices remain unpatched.
WPS Push Button vs WPS PIN
Push Button Connect (PBC) requires someone to physically press a button on the router, which opens a 2-minute enrollment window. This eliminates the remote brute-force attack surface — an attacker cannot exploit PBC without physical proximity to the router at the exact moment the button is pressed. PBC is substantially safer than PIN-based WPS. However, disabling WPS entirely is still the cleanest long-term configuration, since the button creates risk during the window it is active and some routers implement PBC with vulnerabilities of their own.
Does Disabling WPS in the Admin UI Actually Work?
Not always. A significant number of routers — particularly older consumer models — have firmware bugs where the WPS toggle in the admin interface does not fully disable WPS at the radio level. The router reports WPS as disabled but continues responding to WPS enrollment requests. You can test this: after disabling WPS in the admin UI, use a tool like Reaver with the --wps-pin-auto flag from a Linux machine and observe whether the router still responds. If it does, the toggle is cosmetic and your only real option is a firmware update or router replacement.
WPS PIN vs Wi-Fi Password Attacks
A normal WPA2 password attack requires capturing a 4-way handshake and guessing the actual Wi-Fi passphrase offline. If the passphrase is long and random, dictionary and brute-force attacks are computationally infeasible. A WPS PIN attack bypasses the passphrase entirely — it attacks the enrollment mechanism and retrieves the passphrase as a result. A strong Wi-Fi password does not protect against an active WPS PIN attack; only disabling WPS does.
How to Disable WPS
- Log into your router admin page or router app.
- Open Wireless, Wi-Fi, Advanced Wireless, or Security settings.
- Find WPS, Wi-Fi Protected Setup, Push Button Connect, or PIN enrollment.
- Disable WPS entirely if the router allows it.
- Save settings and reboot the router if required.
- Optionally verify with Reaver that WPS is no longer responding.
Detecting WPS Brute-Force Attempts
If your router logs WPS authentication failures, repeated failures from the same MAC address indicate an active brute-force attempt. Check your router admin panel under System Log or Security Log for WPS-related entries. Some routers will auto-lockout WPS after a threshold of failures — if yours supports this, enable it. An unusual number of failed WPS attempts is a signal to disable WPS immediately if it is still enabled, and to check whether any unauthorized devices have connected.
Best Router Settings After Disabling WPS
| Setting | Recommended Value | Why |
|---|---|---|
| WPS | Off | Removes a weak enrollment path. |
| Security | WPA2-AES or WPA3 | Avoids old WEP/TKIP modes. |
| Password | 16+ characters, unique | Prevents handshake guessing. |
| Guest network | On for visitors and IoT | Keeps less-trusted devices away from main devices. |
Frequently Asked Questions
Should I disable WPS on my router?
Yes. Most home users should disable WPS after setup. It is a convenience feature, not a security feature, and the PIN method has a long history of brute-force weaknesses.
Is the WPS button safer than the WPS PIN?
Push-button WPS is safer than always-on PIN enrollment because it creates a short setup window requiring physical access, but disabling WPS entirely is still the cleaner long-term setting.
Will disabling WPS disconnect my devices?
No. Disabling WPS prevents new WPS-based setup. Devices already connected with the Wi-Fi password should remain connected.