Disabling WPS: Why and How
Table of Contents
What Is WPS?
WiFi Protected Setup (WPS) was introduced by the Wi-Fi Alliance in 2006 to solve a real usability problem. Connecting a device to a secured WiFi network required typing a long, complex WPA password. For non-technical users, this was frustrating. For devices without keyboards (printers, cameras), it was nearly impossible.
WPS offered simplified alternatives. A PIN method: enter an 8-digit number printed on the router instead of the full password. A push-button method: press a physical button on the router and a button on the device within two minutes, and they connect automatically. Both methods bypass the need to type the full WPA passphrase.
The convenience came at a cost. The PIN method contained a fundamental design flaw that made it vulnerable to brute-force attacks. This flaw was publicly disclosed in 2011 by researcher Stefan Viehbock, and it has not been fixable through firmware updates because the vulnerability is in the protocol design itself.
The PIN Vulnerability
The WPS PIN is 8 digits long. A naive brute-force attack would need to try 10^8 (100 million) combinations. At typical WPS authentication speeds, this would take years. The flaw is in how the PIN is validated.
The WPS protocol splits the PIN into two halves. The first four digits are validated in one step. The last three digits (the eighth digit is a checksum) are validated in a separate step. The router tells the attacker whether the first half is correct before checking the second half.
This means the attacker only needs to brute-force 10^4 (10,000) combinations for the first half, then 10^3 (1,000) combinations for the second half. The total number of attempts drops from 100 million to approximately 11,000. At one attempt per second, that takes about three hours.
graph TD
subgraph "WPS PIN Structure"
A[8-digit PIN: 12345670] --> B[First half: 1234]
A --> C[Second half: 567]
A --> D[Checksum: 0]
end
subgraph "Brute Force Comparison"
E[Full 8 digits: 10^8 = 100,000,000 attempts] --> F[Years to crack]
G[Split validation: 10^4 + 10^3 = 11,000 attempts] --> H[Hours to crack]
end
subgraph "Attack Flow"
I[Try first 4 digits] --> J{First half correct?}
J -->|No - router reveals failure| K[Try next combination]
J -->|Yes| L[Try last 3 digits]
L --> M{Second half correct?}
M -->|No| N[Try next combination]
M -->|Yes| O[PIN recovered - WPA password revealed]
end
WPS PIN split validation reduces brute force from 100 million to 11,000 attempts - a fundamental protocol design flaw
Once the PIN is recovered, the attacker retrieves the WPA passphrase from the router. The attack is not theoretical. Tools like Reaver and Bully automate the entire process. Point the tool at a WPS-enabled network, wait a few hours, and receive the WPA password.
Some routers implemented rate limiting after the vulnerability was disclosed, locking out PIN attempts after several failures. This slows the attack but does not prevent it. The attacker waits for the lockout to expire and resumes. With rate limiting, the attack takes days instead of hours, but the outcome is the same.
The Pixie Dust Attack
In 2014, researcher Dominique Bongard disclosed an even more devastating attack against WPS. The Pixie Dust attack exploits weak random number generation (RNG) in the WPS implementation of many popular router chipsets.
During the WPS exchange, both the router and the client generate random nonces (one-time numbers). These nonces are used in the cryptographic calculations that protect the PIN. If the nonces are predictable - because the RNG is weak - the attacker can derive the PIN mathematically from a single captured WPS exchange, without any brute forcing.
The Pixie Dust attack works in seconds. One WPS exchange, a few seconds of computation, and the PIN (and therefore the WPA password) is recovered. No rate limiting helps because only one exchange is needed.
Chipsets from Ralink, MediaTek, Realtek, and Broadcom were all found to be vulnerable to varying degrees. Since these chipsets are in the majority of consumer routers, the Pixie Dust attack affects a large portion of deployed hardware.
The tool pixiewps, integrated into Reaver and available as a standalone tool, automates the attack. A single command can test whether a router is vulnerable and extract the WPA password if it is.
WPS Push Button - Better but Still Risky
WPS Push Button Connect (PBC) is less vulnerable than the PIN method. It requires physical access to the router (or at least proximity to press the button), and the enrollment window is limited to about two minutes after the button press.
The risks are still real but different. During the two-minute enrollment window, any device can connect - not just the intended one. An attacker within range who is monitoring for WPS PBC activations can attempt to connect during the window. In a busy environment (apartment building, shared office), the chance of an unintended device connecting is non-trivial.
More fundamentally, WPS PBC is an unnecessary attack surface. The enrollment window opens a brief but real vulnerability every time you press the button. If your devices can connect by typing the WPA password, WPS PBC provides convenience at the cost of security surface area.
How to Disable WPS on Common Routers
The process varies by router brand, but the general approach is the same: log into the router's admin panel, find the WPS settings, and disable it.
TP-Link. Log into the admin panel (typically 192.168.0.1 or tplinkwifi.net). Navigate to Advanced, then WiFi, then WPS. Toggle WPS off. On some models, this is under Wireless Settings directly.
Netgear. Access the admin panel (typically routerlogin.net or 192.168.1.1). Go to Advanced Setup, then Wireless Settings. Find the WPS section and uncheck "Enable Router's PIN." On newer firmware, look under WiFi Settings for a WPS toggle.
Asus. Log into the admin panel (typically router.asus.com or 192.168.1.1). Navigate to Wireless, then WPS tab. Set "Enable WPS" to OFF.
Linksys. Access the admin panel (typically 192.168.1.1). Go to WiFi Settings. Find WPS and set it to Disabled. Some Linksys models have WPS under a separate "WiFi Protected Setup" menu item.
graph TD
subgraph "Disable WPS - General Steps"
A[Open browser] --> B[Navigate to router admin panel]
B --> C[Log in with admin credentials]
C --> D[Find Wireless or WiFi settings]
D --> E[Locate WPS section]
E --> F[Toggle WPS to OFF or Disabled]
F --> G[Save and apply settings]
end
subgraph "Verification"
G --> H[Scan network with BLEShark Nano]
H --> I{WPS still showing?}
I -->|Yes| J[Router may not fully disable WPS]
I -->|No| K[WPS successfully disabled]
J --> L[Consider firmware update or router replacement]
end
Steps to disable WPS and verify the change - some routers require verification because the toggle does not always work
After disabling WPS, save the settings and reboot the router. Some routers require a reboot for the change to take effect.
The Verification Problem
Here is the frustrating part: some routers do not actually disable WPS when the admin panel toggle says they do. Research and real-world testing have found routers that continue responding to WPS PIN requests even after WPS is "disabled" in the configuration interface.
This problem is more common in older routers and cheaper hardware. The firmware toggles the WPS indicator in the admin panel but does not actually stop the WPS service. The router continues listening for WPS requests and responding to them.
The only reliable way to verify that WPS is truly disabled is to test from the outside. Use a WiFi scanning tool that shows WPS status for detected networks. If your network still shows WPS as enabled after you disabled it in the admin panel, the router's firmware is not properly implementing the toggle.
In this situation, you have two options. First, check for a firmware update - some manufacturers fixed this behavior in newer firmware versions. Second, if no update is available, consider replacing the router with one from a manufacturer that properly implements WPS disable.
Checking with the BLEShark Nano
The BLEShark Nano's WiFi scanner shows WPS status for detected networks. After disabling WPS in your router's admin panel, scan your network with the Nano and check whether WPS still appears as enabled.
This external verification is the only way to be confident that WPS is actually off. The router's admin panel shows what the configuration says. The WiFi scan shows what the router is actually doing. When those two disagree, trust the scan.
The check takes seconds. Scan, find your network in the results, check the WPS field. If WPS shows as disabled, you are done. If it shows as enabled despite your configuration change, you know you have a problem that needs further action.
For security professionals conducting assessments, WPS status is one of the first things to check on any WiFi network. A network running WPA2 with a 20-character passphrase is well-secured - unless WPS is enabled, in which case the passphrase can be recovered in hours regardless of its complexity.
A Brief History of WPS Vulnerabilities
The timeline of WPS vulnerabilities illustrates why the feature should be disabled entirely rather than patched.
2006: WPS standard introduced by the Wi-Fi Alliance. PIN and PBC methods defined.
2011: Stefan Viehbock publishes the split-PIN brute force vulnerability. The design flaw is in the protocol itself and cannot be fixed without changing the standard. Reaver tool released, making the attack accessible to anyone.
2012: Router manufacturers begin adding rate limiting to slow the brute force. This extends the attack from hours to days but does not prevent it.
2014: Dominique Bongard demonstrates the Pixie Dust attack. Routers with weak RNG can have their WPS PIN extracted from a single exchange. Rate limiting is irrelevant because only one exchange is needed.
2015-present: Despite the known vulnerabilities, WPS remains enabled by default on the majority of consumer routers sold worldwide. Most non-technical users never disable it because they do not know it exists.
WPS was designed to simplify WiFi setup. It succeeded at that goal. It also introduced a vulnerability that undermines the security of every WPA network where it is enabled. The fix is straightforward: disable it. The challenge is that millions of routers have it enabled right now, and most of their owners have never opened the admin panel.
Get the BLEShark Nano - $36.99+