What is WPS

WPS is a protocol for semi-automatically creating a secure WiFi network. It is designed to simplify the initial setup of the router so that inexperienced users can handle the task. The standard was approved by the Wi-Fi Alliance in 2007. But now the function is practically not used because of security issues.

General information about WPS

There are 2 types of the implementation of WPS:
  1. With the PIN code. To implement the connection, press the WPS button on the access point (router), connect as a client to the created WiFi network and enter the PIN-code (is specified on the access point next to the serial number).
  2. Without entering the PIN code. To realize the connection you need to press the WPS button on the access point (router) first, and then - on the client's device (within 2 minutes). Authorization will be done automatically.
In routers, the first option WPS has become popular. That is, for the initial router configuration, the user only needs to connect the WAN-cable from the provider to it, press the WPS button and then enter the PIN-code on the device that needs to be connected to WiFi.

On the routers from TP-Link this function is called QSS. Technically it does not differ at all and uses the same encryption and transfer protocol.


Major WPS vulnerabilities:
  1. The EAP-NACK signal is sent in response to the authorization attempt. On it you can understand in which numbers was an error (the first 4 or the next 3).
  2. PIN code by bruteforce (serial search) can be found within 2 - 3 hours.
PIN code consists of 8 digits. The last one is the checksum of the previous seven. That is theoretically to crack the access point you need to try 107 variants of the password. A bunch of 2 to 3 computers can do it in 3 to 4 hours. And after authorization, the client gets full access to the LAN, if previously no restrictions on LAN-access have been set.

And in some manufacturers' routers a bug was found in the random number generator, which is necessary to protect against unauthorized access. If you send an authentication signal with the wrong PIN, then use offline bruteforce (to de-authenticate the other clients), the previously entered password will be regarded as correct.

Options for protecting against hacking via WPS:
  • disable this feature;
  • firmware upgrade (after the detection of vulnerabilities manufacturers began to add a lock on timeout: after 5 - 10 incorrect attempts to enter WPS temporarily becomes inactive).
Proceeding from this, it is the routers with this function activated are the most vulnerable. Especially those where the user has not updated the firmware after purchase. And that makes less than 20% of all router owners. And 99% of corporate networks are hacked through WPS vulnerabilities.

What programs can hack through WPS vulnerabilities

The following programs are used most often for this purpose:
In total, what is WPS? It is a function for fast WiFi configuration and deployment without the need to manually set the network name (SSID), encryption type and access key. But because of vulnerabilities, it is recommended to disable it on the router to protect against unauthorized access. You can do this through the router's web interface.
Petr Sholokhov
Petr Sholokhov

Full-time website author. Expert in network infrastructure, security and system administration, 25 years of experience.

Related materials
InSSIDer Scanners
WPS Connect Android
Router Scan Scanners
Metasploit Kali Linux
Write a comment
Comments (0)