Wi-Fi Protected Setup (WPS) is a legacy feature on routers that was developed two decades ago to make it easier to connect devices to the Wi-Fi network. It worked by bypassing the need to enter the Wi-Fi password on, say, your printer manually. Instead, an 8-digit PIN was used for authentication, supplying the Wi-Fi password to the device. While the concept made sense on the surface, the implementation was far from airtight, and the feature was quickly exploited by threat actors, brute-forcing their way into networks within minutes. The industry moved on to better mechanisms like Wi-Fi Easy Connect, but WPS still ships on modern routers to this day. Despite many of your current devices not supporting WPS, it can be used to hack into your home network if it's enabled on your router. It goes without saying that disabling WPS should be one of the first things you should do on a new router.
Your 5-year-old router isn't just slow — it's an unpatched security loophole
Don't risk everything with an outdated router
WPS was always meant for convenience, not security
No wonder it was abandoned years ago
Any feature that exchanges security for convenience should not exist in your home network. WPS falls squarely in this category, despite still being a part of your router. The fact that it's a part of your network should not automatically remove it from suspicion. WPS uses an 8-character PIN that you can enter in your device or the router's settings to authenticate the connection. This is a convenient way to connect your printer or smart device to the router since you don't have to type in a long password. The problem is that the PIN used by WPS is broken into two parts, so it's not really a single 8-character PIN, but rather a 4-digit and 3-digit number (one of the digits is a checksum for the PIN). This makes it far easier for attackers to "guess" the PIN.
The PIN is made up entirely of numbers, further degrading the brute-forcing difficulty. And it doesn't end there. The router sends an EAP-NACK message to the client on every try, making it clear whether the attempt to guess the first four digits is correct. This leaves only the last three digits, which the attacker can brute-force separately. An 8-digit number has 100 million possible combinations, but a 4-digit and 3-digit number, separately, only needs 11,000 tries, which was shown to take less than an hour in a 2011 study. WPS doesn't have a mechanism to limit the number of tries, which could stop a brute-force attack. Android removed support for WPS back in 2019, and Apple never officially supported it to begin with.
6 overlooked router settings that can improve your network security
You can make your home network much more secure with a few changes.
Even modern routers can have it enabled by default
No one is safe
You might think that a technology proven flawed in 2011 probably won't exist on modern networking equipment. While the WPA3 encryption standard removed support for WPS, many modern routers still allow a WPA2/WPA3 Mixed Mode. Your older devices with no WPA3 support need it to connect to the router using the older WPA2 standard. This means that WPS might still be enabled by default if your router is using WPA2 to connect to certain devices. Smart home devices have also done their part in keeping WPS alive. Since many of them still recommend users to connect via this route, people consider WPS to be an approved and reliable method. To be clear, your devices themselves don't need to support WPS for the exploit to be valid; attackers simply need WPS to be enabled in the router settings to do their job.
If your router has a physical WPS button, you don't even need a PIN to connect to it. Pressing the button gives you a short window within which your device can discover the router and make the connection. Even the PIN is usually printed on the router, so someone physically close to your router can note it down and come back later to hack the router from the outside. Both the button and PIN methods are highly insecure, so you should head into your router's settings and disable WPS right now. It's recommended to find your router's manual online for the instructions on how to do it.
Your router is about to stop getting security updates, and most people won't notice
If this sounds like you it's time to think about an upgrade
Disabling WPS is Wi-Fi security 101
Along with a few other things
Most people never touch their router's settings, and hence might not be aware that WPS is still enabled on their router. It's one of the first things that you should disable in your router's settings. Of course, if you haven't changed the router's default user ID and password yet, change that as soon as possible, along with your Wi-Fi's SSID and password. The default values are easy to guess and can grant access to anyone. While you're disabling WPS, you should also get rid of UPnP and WAN administration (remote access). UPnP allows any device to open network ports, bypassing the firewall and opening a backdoor that malware can exploit, granting hackers remote access. Remote management allows you to access the router's admin page from outside the home network, which isn't very helpful, but leaves the door open for hackers.
5 security settings I immediately change on my router (and you should too)
Seriously, do these things before you start using your internet.
You are unknowingly keeping your network exposed to security attacks
WPS should have long been dead by now, but it continues to exist on modern routers and devices with older security standards. It's a convenience feature that did not take into account the potential exploits that it gave rise to. Although modern routers supporting WPA3 don't need to worry about WPS, many of them support WPA2 in a transitional mode to allow older devices to connect. This means your router could still have WPS enabled, leaving your Wi-Fi unprotected.