WPS Attack
What is WPS Attack?
WPS AttackAn online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours.
WPS (Wi-Fi Protected Setup) was designed to simplify joining a home Wi-Fi network using an eight-digit PIN. In December 2011 Stefan Viehbock and independently Craig Heffner showed that the protocol validates the PIN in two halves and signals failure on the first half independently, reducing the search space from 10^8 to about 11 000 attempts. Tools such as Reaver and Bully exploit this against most consumer access points and recover the WPA2 PSK in 4-10 hours, sometimes faster. Many vendors mitigate with rate limiting or lockouts, but cheap APs often ship with WPS enabled by default. Disabling WPS or using PBC-only mode is the recommended defence.
● Examples
- 01
Running Reaver against an older home router to recover the WPA2 passphrase in a few hours.
- 02
Bully iterating the lower half of the WPS PIN once the upper half has been confirmed.
● Frequently asked questions
What is WPS Attack?
An online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours. It belongs to the Attacks & Threats category of cybersecurity.
What does WPS Attack mean?
An online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours.
How does WPS Attack work?
WPS (Wi-Fi Protected Setup) was designed to simplify joining a home Wi-Fi network using an eight-digit PIN. In December 2011 Stefan Viehbock and independently Craig Heffner showed that the protocol validates the PIN in two halves and signals failure on the first half independently, reducing the search space from 10^8 to about 11 000 attempts. Tools such as Reaver and Bully exploit this against most consumer access points and recover the WPA2 PSK in 4-10 hours, sometimes faster. Many vendors mitigate with rate limiting or lockouts, but cheap APs often ship with WPS enabled by default. Disabling WPS or using PBC-only mode is the recommended defence.
How do you defend against WPS Attack?
Defences for WPS Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for WPS Attack?
Common alternative names include: WPS PIN brute-force, Reaver attack.
● Related terms
- attacks№ 828
Pixie Dust Attack
An offline attack that recovers the WPS PIN of a vulnerable access point in seconds by exploiting weak nonces in the WPS registration protocol.
- network-security№ 1249
WPA2
The second generation of Wi-Fi Protected Access, based on AES-CCMP and IEEE 802.11i, that has been the de facto Wi-Fi security standard since 2004.
- attacks№ 595
KRACK Attack
A key reinstallation attack against WPA2 that forces nonce reuse in the four-way handshake, letting an attacker decrypt or replay Wi-Fi traffic.
- attacks№ 837
PMKID Attack
An offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed.
- attacks№ 943
Rogue Access Point
An unauthorised wireless access point connected to a network, either installed maliciously by an attacker or naively by an employee, that bypasses network security controls.
● See also
- № 579KARMA Attack
- № 1223Wardriving