Analysis of WPS vulnerabilities in Wi-Fi networks and protection methods

Wireless network security remains one of the most discussed issues in the IT infrastructure sector. WPS technology (Wi-Fi Protected Setup), designed to simplify device connections, has in practice become one of the most vulnerable entry points for attackers. Understanding how it works is critical not for attack, but for building a robust defense for a home or corporate network.

Many users are unaware that their router may be open to outside interference due to one feature. Stefan Viehböck Back in 2011, a fundamental vulnerability in the protocol's design was demonstrated, which remains relevant today. We'll break down the technical details so you can secure your data.

In this article, we won't teach you how to hack other people's networks, as that's illegal. Our goal is to show you how it works. security audit and why old authentication methods are no longer considered reliable. Understanding these principles will help you configure your equipment correctly.

The operating principle of WPS technology and its purpose

Initially Wi-Fi Protected Setup was created as a solution for ordinary users who do not want to deal with complex passwords. Wi-Fi Alliance introduced a standard that allows devices to connect by pressing a button or entering a short PIN. This was intended to replace the long and complex character input required for WPA2 keys.

The mechanism is based on the exchange of special data packets between the client and the access point. When you activate the function, the router generates a request, and the client device responds with an acknowledgement. Exchange protocol assumes that physical access to the button or knowledge of the PIN code is sufficient proof of trust.

⚠️ Caution: The physical WPS button on the router is only secure when pressed briefly. Leaving the function in software mode (PIN code) creates a permanent breach in network perimeter security.

There are several implementation methods, including Push Button Configuration (PBC) and the PIN code method. It is the latter method that has caused widespread security issues. The code verification algorithm has structural flaws that significantly reduce the time it takes to guess the combination.

📊 Do you use the WPS button to connect guests?
Yes, all the time.
Only sometimes
Never, I'm afraid for my safety.
I don't know what this is

Architectural vulnerabilities of the security protocol

The main problem lies in how it is processed 8-digit PIN codeAlthough there are theoretically 100 million possible combinations, the protocol architecture divides the code into two parts for verification. The first part consists of four digits, the second of three digits, and the last eighth digit serves as a checksum.

This division allows each part to be attacked independently. Brute-force attack In this case, it becomes a trivial task. Instead of trying 10 to the 8th power of combinations, an attacker only needs to try 10 to the 4th and 10 to the 3th power of combinations, respectively. The total number of attempts is reduced to less than 12,000.

Moreover, many routers do not have protection against multiple unsuccessful login attempts. Attempt limits are often absent or easily bypassed by resetting the connection state. This makes automated code selection possible in a few hours, even on a regular laptop.

Why doesn't the checksum help?

The last digit of the PIN code is calculated algorithmically based on the first seven. This means that knowing the first seven digits, the eighth can be calculated instantly, further narrowing the field for brute-force attacks and offering no real protection.

The table below compares the theoretical and actual complexity of code selection for different scenarios:

Parameter Complete enumeration Taking into account the vulnerability of WPS Selection time (approximately)
Number of digits 8 4 + 3 -
Combination options 100 000 000 11 000 -
Complexity High Critically low 4-10 hours
Blocking protection Often there is Rarely effective Depends on the model

Wireless Network Audit Toolkit

To conduct legal testing of their own networks, information security specialists use a specialized set of tools. These most commonly involve Linux distributions, such as Kali Linux or Parrot OSThey contain pre-installed software for traffic analysis.

The key component is the wireless adapter. Standard integrated laptop cards often don't support the required operating modes. You'll need an external USB module with a chipset from Atheros or Ralink, which supports monitoring mode and packet injection.

  • 📡 Aircrack-ng — a basic set of utilities for assessing the security of WiFi networks, including monitoring and attack.
  • 🔓 Reaver — a tool designed specifically for brute-force attacks on WPS.
  • 🛡️ Wifite — an automated tool that combines the functionality of other utilities for quick scanning.
  • 💻 Wireshark — a traffic analyzer that allows you to study in detail the data packets passing through the interface.

It is important to understand that using these tools on networks you do not own is illegal. Ethical hacking requires written permission from the owner of the infrastructure before starting any work.

☑️ Preparing for a network audit

Completed: 0 / 4

Technical implementation of an attack on WPS

The testing process begins by putting the network card into monitor mode. This allows the interface to "hear" all packets in the air, not just those addressed to your device. The interface command typically looks like this: ip link set wlan0 down followed by iw dev wlan0 set monitor none.

After capturing the target access point, the tool Reaver begins sending association requests to a specific PIN code. The protocol responds with a message indicating whether the first half of the code was guessed correctly or the second. Feedback from the router allows the algorithm to filter out incorrect options and move on.

Some modern routers attempt to counter this by introducing delays after several unsuccessful attempts or blocking the attacker's MAC address. However, these measures are often insufficient. Bypass algorithm may reset the connection before being blocked, starting the process again from a new IP.

reaver -i wlan0mon -b 00:11:22:33:44:55 -vv

This command starts the selection process for a specific BSSID. Parameter -vv Provides detailed information output to the console, helping the operator monitor the progress and status of the connection to the target access point in real time.

⚠️ Warning: During active PIN brute-force testing, the target router may reboot or temporarily stop responding to client requests. This can cause a Denial of Service (DoS) condition, so testing should be performed in an isolated environment.

Methods for protecting and disabling vulnerable functions

The only reliable way to protect against WPS attacks is to completely disable this feature in your router settings. Even if you don't use the button, the software component often remains active by default. Go to the control panel, usually accessible at 192.168.0.1 or 192.168.1.1.

Find the section related to wireless security or WPS settings. There should be an option there. Enable WPS. Set the value to Disable or OffAfter saving the settings, the router will reboot and the vulnerable port will be closed.

  • 🔒 Use a strong password WPA2/WPA3 at least 12 characters long, containing letters and numbers.
  • 📡 Disable the WPS function in the router's admin panel, even if you don't use it.
  • 🔄 Regularly update your router firmware to the latest version from the manufacturer.
  • 🚫 Stop using a PIN code to connect guests; instead, create a guest network.

If your router is too old and does not allow you to disable WPS through software, consider replacing it. Obsolete equipment Not only is it slow, but it also poses a serious security risk to all connected devices.

Comparison of encryption and security standards

Network security depends not only on the absence of holes in WPS, but also on the encryption protocol used. WEP is considered completely hacked and should not be used for more than 10 years. WPA2 is the current standard, but it also has vulnerabilities, such as the KRACK attack.

The latest standard WPA3 It addresses many of the shortcomings of previous versions, implementing real-time protection against password attacks and improved encryption on open networks. However, it requires support from both the router and client devices.

The table below provides a comparison of the main characteristics of various safety standards:

Characteristic WEP WPA2 WPA3
Year of implementation 1999 2004 2018
Encryption type RC4 AES-CCMP GCMP-256