How WPS Attacks Work – And How to Protect Your Network

WPS attacks include any attacks in which a hacker exploits known vulnerabilities in WPS to gain access to a network. The most common method uses brute force to crack the PIN associated with the access point, allowing the attacker into the network. Since WPS PINs are fairly simple, the right approach can crack them in hours or even minutes.

WPS, or Wi-fi Protected Setup, was designed as a convenient way for users to connect to a wireless network without the need to type in lengthy passphrases. The goal was to promote security while keeping the process simple. However, this simplicity also comes with serious vulnerabilities.

In this article we’ll discuss WPS vulnerabilities, how WPS attacks work, and what you can do to protect your network.

WPS Vulnerabilities

Most WPS vulnerabilities are inherent to the technology’s design. While they offer users a significant amount of simplicity, allowing them to connect to the network in seconds, they’re often highly exploitable.

Generally, connecting to a network using WPS requires little more than pressing a button or entering a PIN. As a result, it’s less secure than alternatives that require strong passcodes. Plus, some may include near-field communication (NFC) or similar technologies that streamline the experience at further cost of overall security.

Types of WPS Attacks

There are two common types of WPS attacks: brute force and pixie dust attacks. Each one aims at guessing the PIN, as this number is often permanently associated with the device and doesn’t require interacting with any hardware.

Brute Force Attacks

Generally speaking, the most common type of WPS attack is the brute force approach. WPS PINs are only eight digits, and they’re far less secure than more traditional passcodes. As a result, hackers may attempt to crack the PIN using a range of automated technologies.

While it may seem like eight digits would offer reasonable security, they aren’t all randomly assigned. One number is essentially a checksum for the other seven, so it doesn’t provide the same inherent security as a random eighth digit. Additionally, when a PIN is reviewed, the protocol initially only checks the first four digits, proceeding to the following three only if those are correct.

As a result, an attacker would need – at most – 11,000 guesses to crack the PIN. If it could check one PIN per second, the entire process can complete in about three hours, suggesting all 11,000 guesses were actually needed and there weren’t any lockout mechanisms in place relating to too many attempts.

Pixie Dust Attacks

While a traditional brute force attack effectively occurs online, a pixie dust attack is an offline alternative. It can allow someone to discover a PIN in as little as a few minutes. Within WPS, two hashes are created that show the access point that a client knows a PIN, and they’re potentially obtainable by an attacker. Often, within those two hashes is the full PIN.

While the hashes don’t merely contain pieces of the PIN, some manufacturers include other values within them that are easy to predict. Ultimately, the hacker can begin deducing the PIN with a surprising amount of ease and then just try it to see if it’s legitimately a match.

How to Protect Against WPS Attacks

Disable WPS

Generally, the best way to protect against WPS attacks is to disable WPS entirely. This approach to establishing a connection is optional on many, but not all, devices. Device owners or administrators can transition to a more secure alternative, such as requiring traditional passcodes that are far more complex than a PIN.

Accessing the WPS function is reasonably straightforward. Typically, it’s listed in the configuring options, though it may also be under the “advanced” settings area, depending on the device. Once the feature is located, it might be possible to simply toggle it off. However, some access points may require other actions to disable the feature, such as reboots or confirmation steps.

Improve Security Without Disabling WPS

If disabling WPS isn’t an option, then securing the device itself is a must. If passersby can’t reach the access point to push the button or see the PIN, then it reduces the odds of those unauthorized individuals accessing the device.

Similarly, removing any labels with the PIN can prevent some unauthorized connections. Then, the PIN can be stored in a secure location away from the device.

If there are NFC connectivity options, disabling those can close up one potential attack vector even if WPS is still enabled. Essentially, it eliminates one avenue, which is better than nothing.

Additionally, make sure to enable any security features that lock out devices after failed tries. If you can limit attackers to three to five attempts at a time, requiring a cooling-off period in between, it will slow their progress. However, unless it defaults to blacklisting a device after a specific number of PIN failures, a persistent attacker will eventually get through.

It’s also crucial to update the firmware on a WPS-enabled device whenever patches are available. Many of those updates address known security vulnerabilities, and some can monitor traffic to identify potential brute force attacks, either blocking the device or alerting appropriate network personnel.

Regularly checking the list of connected devices may also be a practical option. While this approach is inherently reactive, it could create opportunities to block unauthorized devices, booting them off of the network.

However, none of those strategies are guaranteed to fully protect a WPS device from an attack. Often, PINs aren’t changeable, and even if they were, it wouldn’t eliminate all of the risks associated with a brute force attack. As a result, it’s typically best to choose devices that allow WPS to be disabled, ensuring your network isn’t at risk.