What Is WPS attack? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Wi-Fi Protected Setup was designed to make connecting devices to a Wi-Fi network easier by using a PIN instead of a long password. Unfortunately, this PIN can be guessed by an attacker in a few hours using brute force. Once the PIN is cracked, the attacker can retrieve the network’s password and connect to the network. This type of attack is a common way hackers break into home and small office Wi-Fi networks.
Commonly Confused With
A WPA2 brute force attack attempts to guess the network password directly, which typically takes a very long time for a strong password. A WPS attack guesses a short PIN and retrieves the password from the router, making it much faster and more effective.
Trying to guess a 20‑character password vs. trying to guess an 8‑digit PIN that has a known verification flaw.
An Evil Twin attack involves setting up a rogue access point that mimics a legitimate network to trick users into connecting. A WPS attack is a direct attack on the router’s PIN mechanism. Both are wireless threats but use completely different methods.
Evil Twin is like creating a fake coffee shop Wi‑Fi; WPS attack is like picking the lock on the real router.
A deauthentication attack forces devices to disconnect from a Wi‑Fi network by sending fake management frames. Its goal is often to capture the handshake for offline password cracking. A WPS attack does not require capturing a handshake; it directly retrieves the password via the PIN.
Deauth attack is like cutting the phone line to force a call to reconnect; WPS attack is like bribing the switchboard operator for a list of phone numbers.
Must Know for Exams
WPS attacks are a common topic in several IT certification exams, especially those covering wireless security. For CompTIA Security+ (SY0-601 and SY0-701), WPS attacks appear under Objective 3.2 (Given a scenario, implement secure protocols) and Objective 4.1 (Compare and contrast social engineering techniques and threats). While not a core objective, it is frequently used in multiple-choice questions about wireless attack types.
In the CompTIA Network+ (N10-008) exam, WPS is mentioned in the context of wireless network configuration and security. You may see a scenario where a technician must secure a small office Wi-Fi network, and the correct answer involves disabling WPS.
For the Certified Ethical Hacker (CEH) exam, WPS attacks are covered in the wireless hacking module. You might be asked about tools like Reaver or PixieWPS, or about the PIN splitting vulnerability. The exam expects you to know the maximum number of PIN guesses required (11,000 for the first half, 1,000 for the second half).
In Cisco CCNA (200-301), WPS is less prominent, but it may appear in questions about wireless security best practices. The emphasis is on disabling unused services.
Exam questions often present a scenario where a network has strong WPA2 encryption but still gets compromised. The answer will point to the WPS PIN vulnerability. Another common question type asks for the maximum number of PIN attempts needed, 11,000 is a typical distractor (the correct answer is 11,000 for the first half plus 1,000 for the second half = 12,000 total). However, many official sources state 11,000 maximum attempts because the second half is only three digits (1,000 possibilities) but the checksum locks one digit so brute forcing the second half always requires up to 1,000 attempts. Total 11,000? Actually it is 11,000 guesses for the first 4 digits (because the 8th digit is checksum, the first 7 digits are split into 4 and 3 + checksum. Brute forcing the first 4 digits takes up to 10,000? No – the WPS PIN is 8 digits. The checksum digit is calculated from the first 7 digits. So the first 4 digits are guessed first. That is 10,000 possibilities. But some sources say 11,000 because the protocol checks the first half with a specific response. The exact number is 10,000 for the first half, 1,000 for the second half = 11,000 total. The confusion arises because the checksum digit is not used in the first half guess. The standard says the first half is digits 1-4, second half is digits 5-7 plus the checksum digit 8. So the second half brute force needs at most 1,000 guesses. Total 11,000. Many exam answers use 11,000 as the correct number. Check your exam objectives for exact numbers.
Simple Meaning
Think of WPS as a “valet key” for your Wi-Fi network. Normally, you need a long, complex password to join the network. But WPS offers a shortcut: an eight-digit PIN printed on the bottom of your router. The idea is that you type that PIN in once, and the router automatically gives your device the real password.
Unfortunately, the PIN has a built-in flaw. The last digit is a checksum that can be calculated from the other seven digits, so the attacker only needs to guess seven digits. Even worse, the PIN is verified in two halves: the first four digits are checked separately from the last three. That means the attacker only needs to try 11,000 possible combinations for the first half and 1,000 for the second half, a total of 12,000 guesses. With a modern computer, this takes only a few hours.
Once the PIN is discovered, the router hands over the network’s WPA2 password in plain text. The attacker now has full access to the Wi-Fi network and can spy on traffic, inject malware, or steal data. It’s like giving a thief your house key because they guessed a simple four-number lock on your mailbox.
Full Technical Definition
WPS (Wi-Fi Protected Setup) is a network security standard introduced in 2007 by the Wi-Fi Alliance to simplify the process of connecting devices to a secure wireless network. It supports several methods: PIN entry, Push Button Configuration (PBC), Near Field Communication (NFC), and USB configuration. The most common implementation, and the one most vulnerable to attack, is the PIN method.
The PIN method works as follows: the enrollee (client device) sends an EAP (Extensible Authentication Protocol) message to the registrar (usually the access point). The registrar challenges the enrollee to prove knowledge of the PIN. The enrollee responds with a hash of the PIN. The registrar then validates the hash and, if successful, provisions the enrollee with WPA2 or WPA3 credentials.
The critical vulnerability in WPS PIN-based authentication was discovered in 2011 by researcher Stefan Viehböck. The PIN is eight digits long, but the eighth digit is a checksum derived from the first seven digits using a simple algorithm. This reduces the search space from 100 million possible PINs to 10 million. More importantly, the WPS protocol validates the PIN in two separate halves. The registrar first checks the first four digits (the “M1” response). If correct, it sends an M2 message requesting the final three digits (which combined with the checksum makes four digits). The attacker can therefore brute force the first half with at most 10,000 guesses (actually 11,000 due to the checksum constraint on the first half? No – the first half is purely four digits, so 10,000 possibilities. However, the protocol check is that the registrar sends an NACK (negative acknowledgment) if the first half is wrong, and a different message if it is correct. This differential response allows the attacker to know when the first half is guessed correctly. The second half requires at most 1,000 guesses (three digits). Total worst-case: 11,000 guesses.
Modern tools like Reaver, Bully, and PixieWPS automate this attack. PixieWPS exploits an additional weakness where some routers generate the PIN using a predictable algorithm based on the device’s MAC address or serial number, allowing near-instantaneous cracking.
Mitigation steps include disabling WPS entirely on the access point, using WPA3 which improves upon WPS, or updating router firmware to disable PIN-based WPS and keep only Push Button mode, which is only active for a short window when physically pressed.
Real-Life Example
Imagine you live in a building with a main front door that requires a key card. To make it easier for guests, the building manager installs a “quick entry” system: you call your guest and tell them a simple four‑digit code that works for the front door only for the next five minutes.
Now, an attacker notices that the keypad only lets you enter the code in two parts: first the first two digits, then the last two digits. And the keypad beeps if the first two digits are correct. The attacker can stand outside and try all possible two‑digit combinations (00 to 99) – only 100 tries. If he gets a beep, he knows the first two digits are right. Then he tries the last two digits – another 100 tries max. In 200 tries, he’s inside the building.
This is exactly how a WPS attack works. The router’s WPS PIN validation reveals whether the first half of the PIN is correct. An attacker only needs 11,000 guesses for the first half (four digits) and 1,000 for the second half (three digits). With automated software, this takes a few hours. Once inside, the attacker gets the real Wi‑Fi password and can use the network as if they were a legitimate guest.
Of course, in real life, the building manager could simply disable the “quick entry” system. That’s exactly what network administrators should do: turn off WPS in the router’s settings. This is the single most effective defense against WPS attacks.
Why This Term Matters
WPS attacks matter because they undermine the strong security provided by WPA2 encryption. Even if a network uses a long, complex WPA2 password, a WPS attack can bypass that password entirely by exploiting the weaker WPS PIN. This makes the attack particularly dangerous for home users and small businesses that rely on consumer-grade routers, where WPS is often enabled by default.
For IT professionals, understanding WPS attacks is crucial for securing client networks. Many people assume that a strong Wi-Fi password is sufficient protection, but WPS creates a backdoor that can be cracked in hours. Auditors must check for WPS-enabled devices during penetration tests. Disabling WPS is one of the first hardening steps recommended by cybersecurity frameworks like the CIS Controls and NIST guidelines.
WPS attacks highlight a broader security principle: convenience often comes at the cost of security. WPS was intended to make connecting devices easier, but the implementation introduced a severe weakness. This serves as a learning point for aspiring IT professionals: always weigh the trade-off between usability and security. In many enterprise environments, WPS is disabled entirely, and device onboarding is handled through more secure methods like 802.1X with EAP-TLS or device certificates.
How It Appears in Exam Questions
WPS attack questions appear in several formats. In scenario-based questions, you might read: “A company uses WPA2 with a strong pre-shared key, but an auditor finds that an attacker was able to connect to the wireless network without the password. What is the most likely cause?” The answer options include: weak password, rogue access point, WPS enabled, Evil Twin attack. The correct answer is WPS enabled.
In configuration questions, you may be asked: “Which of the following actions would best protect a wireless network from a WPS brute force attack?” The correct answer: “Disable WPS on the access point.” Distractors include: “Enable MAC filtering,” “Change the SSID,” or “Use a longer password.”
Troubleshooting questions might present a case where a user reports that their Wi-Fi is slow and they see unknown devices on the network. The technician discovers that WPS is enabled and the router logs show hundreds of failed EAP messages. The answer would be to disable WPS and change the Wi-Fi password.
In more advanced exams, you may be asked about the tool used for WPS attacks. For example: “Which tool is commonly used to exploit the WPS PIN vulnerability?” Answer: Reaver. Another question: “How many possible PIN combinations are there in a WPS attack?” Answer: 11,000 (or 10,000 for first half + 1,000 for second half). Pay attention to wording that says “up to 11,000 attempts.”
Some questions focus on the protocol details: “What is the name of the vulnerability that allows an attacker to brute force the WPS PIN in two separate segments?” Answer: PIN splitting vulnerability.
For scenario-based questions, you may also need to know that a successful WPS attack results in the attacker obtaining the WPA2 pre-shared key in plain text. This allows long-term access to the network even after WPS is disabled, if the password is not changed.
As an exam tip, always remember that the best defense against WPS attacks is to disable the feature. Other measures like rate limiting or locking the PIN after failed attempts are effective only if the router firmware supports them, and many consumer routers do not. Disabling WPS is the most reliable solution.
Practise WPS attack Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior network administrator for a small dental office. The office has a single wireless router provided by the internet service provider. The Wi‑Fi password is a complex 20‑character string that the staff finds difficult to type. To make it easier, the previous admin enabled WPS and printed the PIN on a label near the reception desk.
One day, the dentist complains that the internet is very slow during patient hours. You check the router’s connected device list and see several unknown devices: a smartphone named “HackerPhone,” a laptop called “PwnBox,” and a tablet. You also notice the router’s log shows thousands of EAP‑request messages over the past week.
You realize that an attacker sitting in the parking lot used a tool like Reaver to brute force the WPS PIN. Once the PIN was cracked, the attacker retrieved the Wi‑Fi password and now uses the network to download large files, consuming bandwidth. The attacker may also be capturing sensitive patient data transmitted over the network.
You immediately disable WPS in the router settings. You change the Wi‑Fi password to a new strong password. You also apply a firmware update that fully disables the WPS PIN method (some routers still allow WPS even when disabled via the admin interface if the firmware is outdated). Finally, you inform the staff that they must type the password manually, or you offer to set up a secure QR code for easy device onboarding.
This scenario illustrates how a WPS attack can completely bypass a strong Wi‑Fi password and why disabling WPS is one of the first steps in securing a wireless network.
Common Mistakes
Believing that a strong WPA2 password fully protects against WPS attacks.
WPS attacks target the PIN, not the password. An attacker can crack the PIN and retrieve the password directly from the router, bypassing the strength of the password entirely.
Always disable WPS in the router’s settings. A strong password is still important for other purposes, but it does not protect against WPS vulnerabilities.
Assuming that disabling WPS via the router’s web interface is always sufficient.
Some older router models have firmware bugs where the WPS radio remains active even after the admin disables it. Physical reset buttons may re-enable WPS. An attacker can still exploit the PIN if the router does not fully disable WPS.
Verify that WPS is truly off by using a tool like Reaver to scan the router. Apply the latest firmware updates. For maximum security, consider using a router that completely removes WPS support.
Thinking that WPA3 eliminates all WPS attacks.
WPA3 introduced a more secure version of WPS called Wi‑Fi Easy Connect (DPP). However, many WPA3 routers still support WPA2 backward compatibility with legacy WPS. If the router is configured to allow WPA2 devices, the old WPS vulnerability may still exist.
When using WPA3, ensure that the router is set to WPA3-only mode if possible. If legacy support is required, disable WPS and use secure onboarding methods like QR codes or certificate-based authentication.
Confusing WPS attacks with brute force attacks on the WPA2 pre-shared key.
A WPA2 brute force attack involves guessing the password directly, which can take years for a strong password. A WPS attack only targets the eight‑digit PIN, which can be cracked in hours. These are completely different attack vectors.
When securing a network, consider both vectors. Use a strong password to defend against WPA2 brute forcing, and disable WPS to defend against PIN cracking.
Exam Trap — Don't Get Fooled
{"trap":"Some exam questions suggest that enabling MAC address filtering is an effective countermeasure against WPS attacks.","why_learners_choose_it":"MAC address filtering seems like a logical security measure because it blocks unauthorized devices based on their hardware address. Learners may think this prevents an attacker from connecting even if they crack the PIN."
,"how_to_avoid_it":"Remember that MAC addresses can be spoofed easily. An attacker who has cracked the WPS PIN can also spoof an allowed MAC address. The only reliable defense against WPS attacks is to disable WPS on the access point.
MAC filtering provides no real security and can be circumvented with trivial effort."
Step-by-Step Breakdown
Reconnaissance
The attacker uses a tool like Wash or Reaver to scan for nearby access points that have WPS enabled. These tools send probe requests and analyze the beacon frames to determine if WPS is active and what version is supported.
Select Target
The attacker identifies a target with WPS enabled. They note the BSSID (MAC address of the router) and the SSID. The attacker may also gather information about the router model to check for known weaknesses like predictable PIN generation (PixieWPS vulnerability).
Initiate WPS Brute Force
The attacker runs a tool like Reaver, which sends an EAP‑Start message to the access point, starting the WPS registration process. The tool then begins sending PIN guesses one at a time.
Crack First Half of PIN
The access point responds differently if the first four digits of the PIN are correct (M2 message) versus incorrect (NACK). The tool iterates through all 10,000 possibilities for the first four digits. Upon receiving an M2, the attacker knows the first half is correct.
Crack Second Half of PIN
Now the attacker must guess the remaining three digits (combined with the checksum digit). The tool tries up to 1,000 combinations. When the access point sends a final success message, the PIN is fully compromised.
Retrieve WPA2 Password
Once the PIN is verified, the access point sends the WPA2 pre-shared key (password) in plain text to the enrollee. The tool logs this password, and the attacker now has full network access.
Maintain Access
The attacker can connect to the network using the retrieved password. They may also spoof the PIN to rejoin later if the password changes. The attacker now has the potential to intercept traffic, launch further attacks, or use the network for malicious activities.
Practical Mini-Lesson
WPS attacks are one of the most straightforward wireless attacks to execute, but they are also one of the easiest to defend against. As an IT professional, you must understand both the attack mechanism and the practical steps to secure a network.
The attack relies on the PIN splitting vulnerability. In practice, not all routers are vulnerable to the same degree. Some newer routers implement rate limiting or lockout after a certain number of failed PIN attempts (e.g., 5 failed attempts locks WPS for 5 minutes). This can extend the brute force time from hours to days. However, many consumer routers do not have this protection. The PixieWPS attack exploits predictable PIN generation algorithms, allowing the PIN to be computed in seconds if the router’s hardware version is known.
In enterprise environments, WPS is typically disabled by default in professional-grade access points (e.g., Cisco, Aruba, Ruckus). However, the risk remains in small offices that use consumer routers. During a security audit, you should scan for WPS-enabled devices using tools like Wash or the WPS scanning feature in Aircrack-ng.
Configuration best practices include: setting the router to WPA2-AES or WPA3 only, disabling WPS completely (not just setting it to Push Button mode), and updating firmware to latest versions. If WPS must remain enabled for legacy devices (e.g., some printers), consider using a separate VLAN for those devices and apply strict firewall rules.
What can go wrong? An administrator may think WPS is disabled but the firmware bug leaves the radio active. Or the admin uses the router’s physical WPS button thinking it is safe, but a tool like Reaver can still brute force the PIN even if the button is not pressed (the PIN method is a separate feature). Always verify by scanning the router from an external device.
For learners, the takeaway is: never trust convenience features in networking. Always disable unnecessary services. The WPS attack is a perfect example of how a well-intentioned feature can become a critical vulnerability.
Memory Tip
WPS attack: 8-digit PIN split into 4+3 (checksum ignored). Max 11,000 guesses. Disable WPS to win.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Does disabling WPS stop all WPS attacks?
Yes, if the router firmware correctly disables the WPS PIN feature. However, some older routers may still respond to WPS probes even when the admin interface shows it as disabled. Always verify with a scanning tool.
How long does a WPS attack take?
With a tool like Reaver, it can take between 4 and 10 hours to brute force the PIN. If the router has rate limiting, it may take days. The PixieWPS attack can crack the PIN in seconds if the router uses a predictable PIN generation algorithm.
Can WPS attacks work on WPA3 networks?
WPA3 introduces a more secure protocol called Wi-Fi Easy Connect (DPP) that is not vulnerable to PIN brute force. However, many WPA3 routers support backward compatibility with WPA2, and if legacy WPS is enabled, the attack may still work.
What tools are used for WPS attacks?
Common tools include Reaver, Bully, and PixieWPS. Wash is used for scanning. These are often pre-installed in penetration testing distributions like Kali Linux.
Is WPS attack still relevant in 2024?
Yes. Many older routers still have WPS enabled by default, and even some newer budget routers keep the feature. The attack remains effective against a large number of home and small business networks.
What should I do if my router is vulnerable to WPS attack?
Disable WPS in the router settings. If the option is not available or the router is too old, consider replacing it with a modern router that fully removes WPS support. Also, update the firmware and change the Wi-Fi password.
Does using WPS with Push Button mode protect against this attack?
Push Button mode only works for a two-minute window when the button is physically pressed, so it cannot be brute forced remotely. However, if the router also enables PIN-based WPS, the vulnerability remains. Always disable both PIN and PBC if possible.
Summary
WPS attacks exploit a fundamental design flaw in the Wi-Fi Protected Setup PIN method, allowing an attacker to brute force an eight-digit PIN in two segments, requiring at most 11,000 guesses. Once the PIN is cracked, the router reveals the WPA2 password in plain text, giving the attacker full network access. This attack bypasses even the strongest passwords and is one of the most common wireless threats in small office and home environments.
Defending against WPS attacks is straightforward: disable WPS entirely on the access point. This simple step eliminates the vulnerability. For IT professionals, the lesson extends beyond WPS, it reinforces the importance of disabling unnecessary services and understanding the security implications of convenience features.
In certification exams, you can expect questions about the PIN splitting vulnerability, the number of guesses required, and the appropriate mitigation. The correct answer always points to disabling WPS. By mastering this concept, you demonstrate a practical understanding of wireless security that is immediately applicable in real-world network administration.