Your home network might be at risk—right this minute. At least, if you have a router with the Wi-Fi Protected Setup (WPS) logo and button on it, it's a security issue waiting to happen. This feature was designed nearly two decades ago to make pairing routers with Wi-Fi devices like printers easy. Still, design flaws make it an open invitation to hackers or anyone else who might want to get onto your home network.

It was thought up to replace passwords for pairing, because we're bad at making secure passwords, and typing them into devices like printers is a chore. A good idea, in theory, but the designers traded security for convenience, and then made it have no security checks or protections against brute force attacks. So, of course, it got hacked, tools were made to circumvent the protection within a matter of minutes, and the networking industry moved on to other ways of securing Wi-Fi.

4 It's not safe to use

Anything that trades security for convenience has no place in your home network

Some security devices are both secure and convenient, like Face ID, password managers, and passkeys. Wi-Fi Protected Setup (WPS) is one of these things, and it's not secure, even though the name would have you think otherwise. It's on a level with using Bluetooth on your phone to automatically unlock your front door when you get home, except even that is more secure because an attacker would need your physical device to get in.

WPS doesn't need physical access to your router to be attacked (although that's another option for an attacker). Any router with WPS enabled also has a virtual push button that shows up in Windows when you try to connect to the Wi-Fi network. Pressing either button starts the PIN code entry process, and as it's only eight numbers, it can be brute forced in a very short period of time.

3 It's easily cracked

It's vulnerable to brute force attacks and tools are readily available to do so

In 2011, two security researchers independently discovered that the PIN code used by WPS can be brute-forced in a very short time. While Wi-Fi passwords can be 20 characters or longer, the PIN code is only eight digits and all numbers. One of those digits is a checksum for the PIN, so it's really seven numbers. But due to how WPS works, that gets split into two halves: a four-digit number and a three-digit one.

To make things worse, the router sends an EAP-NACK message back to the client on every try, which tells the attacker whether the first four digits are correct. Once those are known, the other three numbers are quick to brute-force, and the total number of tries for a guaranteed success is only 11,000. That was easily handled in less than an hour at the time, and WPS doesn't even have any rate limiting that would stop a brute-force attack like this.

Also, both security researchers released tools that perform brute force for you, so all an attacker has to do is press a button and wait. Success is guaranteed, which is why you should turn WPS off right now. Seriously. Now.

2 Anyone with physical access can use it

You have no expectation of security at all

When you have a router with WPS enabled, you have no expectation of physical security on your home network if someone is in your home. That could be a friend, a family member, or someone pretending to be maintenance for your apartment complex or HOA, but the cold, hard fact is that if they can get to your router, they can get on your Wi-Fi network, and that means any of your network traffic or network devices are at risk.

It takes seconds to press the WPS button and connect any WPS-supported device to the network. Even if they don't have time to do that, the PIN code to connect to the router is printed on a label stuck to it, so they can easily get the details they need and come back later to connect from outside.

1 It doesn't work on many devices

Apple never really supported WPS and Android dropped support a number of years ago

The number of devices that support WPS pairing is dwindling, and it never really had that wide support to begin with. Using it on things like networked printers with very simple interfaces where inputting a long Wi-Fi password is complicated made a degree of sense, but for phones, computers, and other devices with easy input methods, it wasn't ideal.

Apple never really supported WPS, not with either the push-button or the PIN code methods, but not for the reasons you might think. Yes, it's insecure, but according to Phil Kearney (father of the AirPort Extreme, AirPort Express, and Time Capsule), Apple's reasoning was that the user experience wasn't up to its standards. He designed a different way of doing WPS that would alert the system admin about a device trying to connect, and let them allow or deny the connection. Far more streamlined, and it gives the user agency and visibility into what's going on.

Google finally removed WPS support from Android in 2019, replacing it with Wi-Fi Easy Connect. Windows 11 doesn't support the PIN method, but will use the push-button method if it detects whether WPS is available on a network. But, since Windows also tells an attacker that WPS is available, your network is effectively saying the front door is open.

WPS hasn't been safe to use since 2011, so if your router supports it it's time to disable it or upgrade

Make no mistake about it—WPS is inherently insecure and has been since its inception. The designers heavily favored laziness and convenience instead of security, making Wi-Fi that anyone could access with a little bit of time. While many networking security flaws can be patched out, the only way to patch WPS to make it safe is by removing it from your router completely. If you have a router with the WPS button, go into the admin pages and disable the feature. Better yet, go buy a new, better router that doesn't have WPS on the specifications sheet, because it's the only way to be completely sure it isn't enabled.