Does the Recent WPS Attack Affect You?

Researcher Stefan Viehböck's holiday gift to the world was a personal information number (PIN) guessing attack against Wi-Fi Protected Setup (WPS). WPS is a fuss-free configuration option supported by many residential Wi-Fi routers. Reported to the U.S. Computer Emergency Readiness Team (US-CERT) in late December, this brute-force PIN crack has since been demonstrated by hundreds of volunteers running proof-of-concept attack tools.

But look-alike acronyms and diverse implementations have created confusion about real-world impact. How can you tell if this attack impacts you?

WPS, WPA, WP-Whatever

Start with what WPS is - and isn't. The "S" in "WPS" refers to "setup." Specifically, WPS is a Wi-Fi Alliance innovation, created to encourage secure wireless connections by auto-configuring Wi-Fi Protected Access (WPA/WPA2)- Personal pre-shared keys (PSKs).

Before WPS, network owners had to configure routers with long, complex WPA2-Personal passphrases (from which PSKs are derived). End users then painstakingly re-typed those same passphrases into Wi-Fi laptops, smartphones, Tivos, Wiis, etc. Mistakes proved frustratingly common, especially on consumer electronic devices without keyboards.

To greatly simplify setup, WPS auto-configures PSKs by conducting an over-the-air exchange between router and client. Depending on router make/model, setup might require typing a four-digit PIN into a client, pushing a button on the router, or holding a client up to a router that supports near-field communications (NFC). Viehböck analyzed this supposedly secure WPS exchange and found vulnerabilities that facilitate WPS PIN cracking.

However, Viehböck's attack does NOT crack WPA/WPA2 (a.k.a. 802.11i), the standards actually used to secure wireless network traffic. This means that businesses using only WPA2-Enterprise (802.1X) needn't be concerned about WPS attacks. Neither should organizations using WPA2-Personal on enterprise-grade Wi-Fi access points that don't implement WPS.

PIN-pointing the Problem

On the other hand, SMB and residential wireless router owners who use WPA2-Personal to secure their networks should be concerned and perhaps take action.

The brute-force attack reported by Viehböck reduces the number of PINs that a would-be intruder must try before correctly guessing a WPS-enabled router's PIN. For some routers, worst-case time-to-crack is roughly four hours. For other routers, cracking could take up to 90 days - or even forever. Having cracked a router's WPS PIN, the intruder can freely connect any new client, gaining access to other connected systems and uplinked networks just like legitimate clients.

Why the range in attack duration? A brute-force attack works by repeatedly trying all possible combinations until the right PIN is guessed. Some routers ignore WPS failures, letting an attacker keep on plugging without delay. Other routers respond to repeated failures with some sort of "lockdown" period during which WPS attempts are ignored. Maximum time-to-crack depends on how many failures are permitted, how long the lockdown lasts and whether manual action is required to re-enable WPS. Furthermore, some routers engage in WPS for only a few minutes after the owner explicitly enables this auto-configure option.

Protect Yourself

Unfortunately, the affected Wi-Fi routers are relatively easy to attack; proof-of-concept tools are already freely available. Furthermore, initial (not necessarily representative) surveys indicate that about one-quarter of all Wi-Fi routers now using WPA/WPA2-Personal could be vulnerable. For those unlucky enough to be vulnerable, quick action is warranted. Fortunately, the remedy might be easy.

Anyone using a residential or SMB Wi-Fi router with WPA/WPA2-Personal should start by determining whether the router's make/model even supports WPS. A list of Wi-Fi-certified WPS-capable products can be found at Those with non-Wi-Fi certified products should browse product configuration guides or screens, looking for a function that sounds like WPS but might be called something else.

Those using routers that support WPS should dig further to determine actual risk exposure and ways to reduce or eliminate it. A community-sourced list of volunteer-tested routers (by make, model and firmware version) has been shared here at Google Docs. In particular, note the "WPS can be disabled" column, which describes whether, and sometimes how, to turn WPS off in each tested router.

Further information about this attack, affected products and recommended workarounds has been published by the US-CERT here. Ultimately, vendors selling especially vulnerable WPS-capable products might release updated firmware to add lockdown mechanisms or take other steps to deter this attack. In the meantime, turn WPS off wherever possible, or enable WPS only when actively attempting to auto-configure a new client.

WTNJan23.jpgShown are WPS options in a common residential Wi-Fi router. Remedies to deter attack vary by product; here, just choose "Manual" in lieu of PIN or push-button auto-configuration.

Email and Social Media Links: Share securely via email |  |


You forgot to mention the core vulnerability of the WPS pin. Namely that the 8 digit pin is divided into 3 parts. First 4 digits compose the first part, 5th to 7th digit compose the second part and the 8th digit is a checksum. Check sum is precomputed for ever possible 7 digit pin combination so cracking it is not required by reaver. Nextly when the first 4 digits are wrong the router will respond with an M5 error, if they are correct but the 3 following digits are wrong then it will respond with an M5 message and an M7 error. In essence this flaw cuts down possible pin attempts from 100,000,000 to 11,000. Assuming 4 seconds per pin attempt cracking an 8 digit pin would take up to 12.68 years, cracking whats in essence two pins 4 digits and 3 digits each at 4 seconds per attempt would only take up to 12.22 hours.

In addition some routers (such as Netgear and Linksys) do not allow you to turn off WPS. Even if you disable WPS in settings the router will still continue to accept WPS PINs and so is still vulnerable. The only hope than is that the vendor will update the firmware to fix the security hole, or you can flash the router with a firmware which does not support WPS at all -- DD-WRT for example.

Thanks for writing Nex. Great detailed explanation of why WPS PINs are easier to brute force than its designers intended.

The best resource I've seen for determining whether or not any router make/model is vulnerable is this Google doc of mostly Reaver test results:

As you say, for those with vulnerable routers, one option is to flash new firmware - either an upgrade from the router's manufacturer or alternative firmware. Another option is to turn your old router into a doorstop and buy a new one - just be sure to buy one that doesn't support WPS or provides a config option that really turns WPS off!

Join the Webtorials Community
Subscription Maintenance

Featured Sponsors

Recent Comments

Webtorials TechNotes

Featured Analysts

Gary Audin, Delphi, Inc.

Michael Finneran, dBrn Associates

William A. Flanagan, Flanagan Consulting

Douglas Jarrett, Keller and Heckman LLP

Jim Metzler, Ashton, Metzler & Associates

Lisa Phifer, Core Competence

Dave Powell, Independent Technical Writer

David Rohde, TechCaliber Consulting LLC

Steven Taylor, Distributed Networking Associates, Inc.

Joanie Wexler, Technology Analyst/Editor


Steven Taylor

TechNotes is a special program of Webtorials and Distributed Networking Associates, Inc.


Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2013, Distributed Networking Associates, Inc.