WPS or Wi-Fi Protected Setup is a protocol designed specifically for home Wi-Fi networks. Thanks to WPS, we can connect to Wi-Fi wireless networks without entering the complex WPA or WPA2 password that we have configured in our router. However, having WPS enabled poses a risk to the wireless network’s security, therefore that its use is not recommended. Today in RedesZone, we will show you in detail how WPS or Wi-Fi Protected Setup works.
What is WPS, and how does it work?
The vast majority of home devices connected to the Internet and the local network do so via Wi-Fi. Smartphones, tablets, smart speakers, lighting, laptops, desktop computers, home automation devices, IP cloud cameras with Wi-Fi, and long etcetera are connected to our router by Wi-Fi. All these connections can be made traditionally by entering the complex WPA / WPA2 password, which is still the most secure today, or using WPS (Wi-Fi Protected Setup).
The WPS system is an authentication method created to facilitate access to secure networks to clarify the concept. This connection method has been introduced since 2007 with the appearance of the Wi-Fi 4 or Wi-Fi Standard. However, currently, the Wi-Fi Alliance has already terminated this method as it is considered insecure.
However, we will have a time of transition, where manufacturers of routers and domestic APs will continue to incorporate it to give compatibility with older equipment since it is possible that they are not compatible with WPA3. Being a standard invented 12 years ago. Currently, all equipment with the Wi-Fi 4 standard onwards incorporates it. Even the operators’ routers have this feature to facilitate quick and easy connections for users easily.
Through WPS, any user can connect to a wireless network without knowing the password for that network. WPS allows two connection methods, through the WPS button on the router itself or by entering a PIN code of at least eight digits and a maximum of 8 digits.
If we select the WPS button connection option, press this WPS button on our router for a couple of seconds and search for the network with our devices to connect. The device will find the web, and it will automatically connect without having to enter a PIN code. Logically, when pressing the WPS button, we will have between one and two minutes to communicate without entering any authentication.
Later this “access” will be closed for security. Currently, most manufacturers have opted to connect various devices to the wireless network since it is more secure than the PIN entry method.
NETGEAR Nighthawk AX8 RAX80 Neutral Router Wi-Fi and WPS Buttons
WPS by entering a PIN code regarding the PIN code input method. At any time, and without physically pressing the WPS button, we can connect to the Wi-Fi wireless network and enter the WPS PIN code that we have configured in our router. This will allow us to remember a PIN code of at least eight digits and a maximum of 8 digits, not the complex WPA / WPA2 password in our wireless router.
This WPS method with PIN code entry has changed since it first appeared. We have to keep in mind that to crack the eight digits of the WPS. We will not need to try 100,000,000 combinations, corresponding to a length of 8 digits from 0-9, but the varieties are much smaller since this 8-digit PIN internally is divided into two sub-pins of 4 digits each.
According to the standard, the last number of the second PIN is a checksum. Due to this architecture, we will have to test to crack a WPS PIN that goes from 100,000,000 combinations to only 11,000 combinations.
Manufacturers try to mitigate WPS vulnerabilities.
When various vulnerabilities were discovered in this WPS protocol, the manufacturers decided to incorporate them into their firmware methods to avoid brute force attacks. With 11,000 combinations, it is very feasible to discover the PIN in about 24 hours. However, it will depend on several factors (chipset of the Wi-Fi card with which you audit the Wi-Fi network, Wi-Fi router, and distance to said router).
This means that currently if we enter the PIN code wrong a series of times (in some routers, it is three times, in others five times, etc.), access via PIN is automatically blocked until we restart the router to protect ourselves from these attacks. Some carrier routers always have the same PIN code configured in some cases, so cracking it in seconds is trivial. In other cases, the routers’ WPS PINs are based on the serial number of the router itself, and the PIN is not generated randomly, which makes PIN cracking much easier.
Other manufacturers have directly disabled the WPS option by entering the PIN, and it is only allowed through the physical button since we will have to press it on our router to connect. This is the best way to use WPS without being so vulnerable. Any of your neighbors rarely have the necessary knowledge to steal your PIN. Still, as a recommendation, you should permanently disable WPS, mainly if you use the PIN for client connection and do not have measures to mitigate attacks by force gross.
Tools to crack the WPS PIN
To understand how they can get our WPS PIN. We will take the Dumpper tool as an example since this tool has dramatically simplified hacking Wi-Fi networks. Any user can manage to violate a network’s security with active WPS without having excellent prior knowledge.
The creator of this «tool to detect failures in our networks’ security» ensures that any user with a minimum of interest and some luck can violate the security of a Wi-Fi network in less than ten minutes just by clicking a couple of times in the interface of your tool.
A dumpster is a software with which we can crack the WPS PINs of the nearby routers, see the number of Wi-Fi networks on each channel, ping any network, perform dictionary attacks, and many other utilities.
Once the tool is started and updated, we will choose the network interface and click on Scan within the WPS tab. We will see all the networks within reach of our wireless network card with the WPS option activated and information about each of them. We can see a circle with four possible colors; each one will belong to the probability of hitting the PIN they offer.
Besides, we can see the MAC address of the access point in question, the channel the network is currently on, its signal quality, and the PIN suggested by the tool. If we select one of the networks, we can see more information about the interface.
In this way, we can even obtain the router model that generates the web that we have chosen, which can be useful if we want to find the default password in the tool’s dictionary to access the configuration. Finally, we will only have to click on WpsWin and wait. If the Dumpper manages to enter, a “.txt” file with the WPS PIN will be automatically generated. We will only have to use it to connect to the network.
If you are familiar with Linux environments, we recommend trying the WifiSlax distribution as it includes all the necessary tools to crack the WPS. We have tools such as Bully and Reaver to perform wireless audits efficiently. We even have other automated means such as Bullyciosa and even devices with dictionaries with the default PINs of different routers ideal for cracking the WPS PIN in seconds.
Another tool to use to hack a Wi-Fi network, this time from an Android device, is WPSapp. This tool is practically a mirror of Dumpper but for Android devices. Once installed, it works in the same way as Dumpper. It scans the networks with active WPS and uses a vast library of default keys to give us the pins with the most chances of success. Once we obtain the PIN, it is done, we have access. Another tool is, for example, WPS PIN that will allow us to use a dictionary and also brute force attacks.
Security Recommendations Regarding WPS (Wi-Fi Protected Setup)
The solution to all this of the WPS vulnerabilities is much simpler than what you are thinking, a recommendation that you have already made more than once, deactivate the WPS from the router firmware. It is effortless will avoid possible problems intrusions. We are going to give you simple steps to halt the WPS function of your equipment for the current operators with a standard action. In all the routers, we will enter the interface through the IP address 192.168.1.1, regardless of the company that provides us service.
For the Movistar HGU, you only have to access the Wi-Fi configuration, change the drop-down to “disabled,” and save the security section settings. Using its button «configure AP,» we will be able to establish a new code automatically generated by the router’s essential dictionary.
For the Livebox Fibra and Livebox Plus (they share firmware, and the process is identical) from Orange and Jazztel, you must click on the upper Wi-Fi tab and going down a little. We will get to the option of “paired by WPS,” we deactivate it and click on save.
The Vodafone Compal CG7486E, Wi-Fi upper tab, WPS section and click on deactivated and apply to save changes. With its button «Generate AP PIN,» we can generate a new PIN code assigned from the router’s critical dictionary. However, it is always recommended to disable it.
And for the ZTE F680 from the MásMovil group, they had the idea of not being able to put a WPS PIN. Its authentication by WPS can only be done through the physical button of the router or from the interface in the WPS PBC tab. Therefore, in this case, we do not run a risk unless we press this button ourselves.
From RedesZone, we hope that this article has helped you. Now that you know everything about WPS, you can defend yourself against anyone who wants to access your network by violating its security. You will learn how to make more intelligent use of this connection method. If you receive an attack, you will be more prepared to solve the problems that it may cause.
WPS will no longer be used in the next generation of wireless equipment in favor of Wi-Fi Easy Connect. The latest operating systems are already beginning to stop supporting this protocol for their users’ safety. This Wi-Fi Easy Connect provides a simplified method for connecting to wireless networks, using QR codes to scan our mobile device.
Also, a device compatible with Wi-Fi Easy Connect will not need any graphical user interface, ideal for IoT devices. Lastly, this method uses public-key cryptography to secure authentication and is compatible with WPA2 and WPA3.