WPS is a feature on WiFi routers that was created so devices like keyboard-less devices (printers) could connect to a WiFi network. You push a button on the router and then another on the device and you’re set! Too good to be true? Yup. The problem is that the design is trash. There are only 11,000 possible passwords in total meaning a generic computer could brute force (read: guess) it in a few hours. Worse than that fact is that the WPS key even overrides the normal WiFi password! You could have the strongest password in the world and the attacked wouldn’t ever need it since they could brute force the WPS key.
High-level solution & Recommendation
- Disable WPS on your router. Easy! Problem solved. See you next time 😉
- If you absolutely need WPS for some reason, then you should ensure your router is updated with the latest firmware. Since the vulnerability was discovered, some vendors have included things like rate limiting or even lock the router after a certain number of incorrect WPS password attempts. There is a Google Sheet below that lists lots of routers, their level of vulnerability, and mitigation they might have implemented. It’s also worth reading the manual of a router before you buy it to see if any defenses are built in against WPS brute forcing.