Fact-checked by Grok 2 weeks ago

Wi-Fi Protected Setup

Wi-Fi Protected Setup (WPS) is a program and standard developed by the to simplify the process of connecting devices to a and configuring settings, particularly for non-technical users in home and small office environments. Introduced in 2007, it automates the transfer of credentials, such as the service set identifier (SSID) and (WPA/WPA2) encryption keys, reducing the traditional multi-step manual configuration to as few as three steps. The standard supports multiple configuration methods to accommodate different user scenarios and device capabilities. The two mandatory methods are Push-Button Configuration (PBC), which activates a window by pressing a physical or virtual button on both the access point and client device, and the (PIN) method, where an 8-digit PIN displayed on the client is entered into the access point's interface. An optional method involves (NFC), enabling credential exchange by touching compatible devices. WPS is compatible with 802.11 standards including a/b/g/n and ensures with legacy devices while enforcing WPA2 security by default. Despite its convenience, WPS has faced significant criticism due to security vulnerabilities, most notably a flaw in the PIN authentication protocol revealed in 2011. This vulnerability allows remote attackers to brute-force the PIN offline because the protocol reveals partial confirmation of the first four digits after a failed attempt, reducing the effective key space from 10^8 to about 10^4 possibilities for the first half, enabling recovery in hours or less using tools like Reaver or Bully. As a result, many modern devices and operating systems, such as Android 9 and later, have deprecated WPS support in favor of more secure alternatives like Wi-Fi Easy Connect, which uses QR codes for device provisioning. The Wi-Fi Alliance continues to include WPS in certification programs for legacy compatibility, but recommends disabling it on access points where possible to mitigate risks.

Introduction and History

Overview and Purpose

Wi-Fi Protected Setup (WPS) is a specification developed by the Wi-Fi Alliance to enable the easy and secure connection of devices to a Wi-Fi network without requiring manual entry of a passphrase. It provides a standardized method for configuring security settings on wireless access points (APs) and client devices, ensuring interoperability among certified products. The primary purposes of WPS include simplifying the setup of and small networks, supporting the of devices that may lack advanced configuration interfaces, and minimizing user errors in configuration. By automating the and processes, WPS addresses the challenges posed by complex passphrase-based setups, which often lead to insecure defaults or user frustration. Key benefits outlined in the original design encompass faster device enrollment, seamless with and WPA2 protocols, and straightforward integration between and various client devices such as printers and cameras. These features aim to enhance user while maintaining robust , making networks more approachable for non-technical users. WPS was initially released in as a response to the growing complexity of setup in consumer environments, where manual configuration often resulted in security compromises or abandoned installations. The announced the program in August to unify easy-setup technologies from leaders, with testing commencing shortly thereafter.

Development and Standardization

Wi-Fi Protected Setup (WPS), originally known as Wi-Fi Simple Configuration, originated in 2006 as an initiative by the to simplify the configuration of secure Wi-Fi networks and address usability barriers hindering broader adoption of wireless technology in homes and small offices. The developed the initial specification, version 1.0, to enable easier device onboarding while maintaining compatibility with and security protocols. This effort was driven by the need to reduce the complexity of entering long passphrases, particularly for non-technical users. The specification was formalized in December 2006 and publicly announced in January 2007, with the launching its certification program later that year to ensure interoperability among compliant devices. Although WPS was not a formal IEEE standard, it was designed to align with the framework, particularly the 802.11i amendments for robust security, allowing seamless integration into existing ecosystems. The certification program required devices to support WPS methods alongside standard WPA2 , marking a key step in standardizing simplified setup across the industry. Products featuring WPS began appearing in the first quarter of 2007, primarily as reference designs from early adopters. Key development milestones included the integration of WPS into WPA2 frameworks from the outset, ensuring it enhanced rather than replaced existing security mechanisms, and the release of WPS 2.0 best practices in December 2010, which expanded support for dual-band operations on 2.4 GHz and 5 GHz frequencies to accommodate emerging multi-band access points. The collaborated closely with major vendors, incorporating contributions such as Broadcom's SecureEasySetup protocol and Intel's Smart Wireless Solution, which provided foundational elements for the PIN and methods. These vendor inputs helped refine the for practical implementation in chipsets and devices. Further evolution with WPS 2.0 in 2011 enhanced certification and support for out-of-band methods, including (NFC) integration to enable tap-to-connect setups and transfers for secure credential exchange between devices. These enhancements built on the original specification's optional provisions, aiming to broaden WPS applicability to mobile and embedded devices while prioritizing ease of use in diverse environments.

Operational Modes

PIN Method

The PIN method serves as the core enrollment mechanism in Wi-Fi Protected Setup (WPS), enabling users to authenticate and configure devices using an 8-digit (PIN) rather than manually entering a full . In this approach, the PIN is displayed on either the access point (, acting as the ) or the client device (acting as the enrollee), and the user enters it into the other device to initiate the connection process. This bidirectional flexibility allows the AP's PIN to be input on the client for standard setups or, less commonly, a client-generated PIN to be entered on the AP, facilitating credential exchange over the . The PIN structure comprises seven randomly generated digits followed by an eighth checksum digit, computed using the WPS-specific 10 : sum = 3 × (sum of first six digits) + seventh digit, then checksum = (10 - sum mod 10) mod 10, to validate accuracy and catch transcription errors. This design balances randomness for with error-detection reliability, though the generation can occur internally by the for fixed or session-based PINs or externally by the client device. Upon entry, the parses and verifies the PIN's format and before proceeding. The configuration steps begin with the user selecting the PIN mode on both devices and entering the code, prompting the to authenticate the enrollee. If the PIN validates successfully, the registrar transmits the necessary credentials—such as the SSID, settings, and network passphrase (from which the enrollee derives the )—to the enrollee, completing the secure . This typically takes under two minutes and supports both WPA-Personal and WPA2-Personal networks. A key advantage of the PIN method is its independence from physical proximity, allowing configurations across distances within Wi-Fi range, which proves ideal for remote device or scenarios lacking push-button hardware. Unlike proximity-dependent alternatives like configuration, it accommodates diverse user environments without additional infrastructure. In early WPS deployments from 2007 onward, the PIN method dominated as the mandatory requirement for all WPS-compliant devices, appearing by default on the majority of consumer routers and until vulnerabilities prompted widespread disabling in the 2010s.

Push Button Configuration

Push Button Configuration (PBC) is one of the operational modes in Wi-Fi Protected Setup (WPS) designed for straightforward device enrollment by leveraging physical or virtual button presses on both the and the client device, thereby avoiding the need for manual credential entry. This mode serves as a user-friendly option, particularly contrasting with the PIN method, which allows enrollment without physical proximity requirements. The process begins when the user presses the WPS button on the , activating a session. Within a 2-minute window following this activation, the user must press the WPS button on the client device to signal its intent to join the network as the enrollee. This timing ensures synchronized activation between the (typically the ) and the enrollee (the client). If the button presses occur within this period, the devices proceed to exchange data securely over the link. In PBC mode, no authentication codes or PINs are exchanged between devices; instead, the mechanism relies on the temporal alignment of button presses and inherent proximity to establish trust. Upon activation, the enters PBC mode and broadcasts messages, including a such as the device's UUID, to advertise its availability for enrollment during the active window. The client, upon button press, scans for these broadcasts and initiates the WPS protocol to negotiate credentials, completing the association without additional user input. PBC requires specific hardware support, including a dedicated physical WPS button on the AP and client devices, or a software-based equivalent accessible via the user interface (UI) for virtual activation. This setup ensures reliable initiation of the mode on compatible Wi-Fi CERTIFIED devices. A key advantage of PBC is its simplicity for non-technical users, as it eliminates typing errors associated with PIN entry and streamlines the connection process to mere button presses. This makes it ideal for quick setups in home environments where users may lack familiarity with network parameters. However, PBC has limitations stemming from its reliance on timing and physical interaction, necessitating that the client device be kept in close proximity to the AP—typically within 5 meters—to minimize the risk of session overlap if multiple potential enrollees are active simultaneously. In such cases, the AP detects overlapping requests and signals an error, requiring the process to restart, which underscores the importance of isolating the intended client during activation.

Near Field Communication Method

The Near Field Communication (NFC) method serves as an extension to Wi-Fi Protected Setup (WPS), enabling contactless configuration of Wi-Fi networks primarily for mobile and (IoT) devices. Introduced by the in 2014 as part of the updated WPS certification program, this optional mode leverages short-range technology to simplify device without requiring manual entry of network details. In the NFC method, an NFC-enabled client device, such as a smartphone, is tapped against the access point (AP) or a compatible NFC tag to initiate the setup process. This proximity-based interaction transfers the necessary Wi-Fi credentials from the registrar (typically the AP) to the enrollee (the client device) using NFC Data Exchange Format (NDEF) records formatted according to the Wi-Fi Simple Configuration specification. The NDEF record, identified by the payload type "application/vnd.wfa.wsc," encapsulates key network parameters including the service set identifier (SSID) and network passphrase (from which the pre-shared key is derived), allowing the client to automatically join the secure network. The technical framework for this method relies on the ISO/IEC 14443 standard for communication, which operates at 13.56 MHz with a typical range of up to 10 cm to ensure secure, short-range exchanges. The profile is embedded within the NDEF structure as an unencrypted credential token, providing a streamlined channel for provisioning without exposing sensitive data over longer distances. This approach supports three primary usage models: direct device-to-device , tag-based configuration, and integration with NFC-enabled . One key advantage of the NFC method is its extreme simplicity for users, who can complete setup with a single tap, bypassing the need for physical buttons or entering PINs as required in other WPS modes. This makes it particularly suitable for consumer scenarios involving quick connections for guests or peripherals. Adoption of the NFC method has been constrained to devices equipped with NFC hardware, limiting its widespread use compared to PIN or push-button alternatives. It gained integration into Android's Wi-Fi setup features around 2012, enabling native support for reading WPS NDEF records, while iOS incorporated similar NFC-based Wi-Fi provisioning capabilities in later updates following broader NFC enablement in 2014 with the iPhone 6. As of 2025, while still certified for legacy compatibility, WPS NFC sees limited use with the rise of more secure provisioning methods like Wi-Fi Easy Connect using Device Provisioning Protocol (DPP).

Technical Framework

System Architecture

Wi-Fi Protected Setup (WPS) utilizes a structured centered on defined roles and components to streamline the addition of devices to a secure network. The core roles consist of the Enrollee and the . The Enrollee represents the device attempting to join the network, such as a client station lacking the current network credentials, which it obtains through the registration process. The , conversely, is the authoritative entity responsible for configuring and distributing network credentials, including the service set identifier (SSID) and (PSK), to the Enrollee. In typical implementations, the Access Point (AP) functions as the primary component and internal Registrar, directly handling credential issuance to Enrollee client devices like laptops or smartphones. Client devices primarily operate as Enrollees during network joining. However, the architecture supports flexibility, including external Registrars that operate as separate entities and interface with the AP via Universal Plug and Play (UPnP) to manage configurations remotely. Proxy Registrars are also accommodated in advanced setups, where an intermediary device relays registration messages between an external Registrar and the Enrollee or AP, enabling operation in larger or segmented networks. The interaction model distinguishes (OOB) mechanisms for initiating from in-band channels for . OOB methods, such as entering an 8-digit PIN on the or pressing a physical button on both the and Enrollee, provide a secure independent of the wireless medium to prevent unauthorized initiations. Following OOB , the in-band proceeds over the link, ensuring the Enrollee can authenticate and receive credentials without prior network access. WPS architecture integrates with established Wi-Fi security frameworks by leveraging the Extensible Authentication Protocol (EAP), particularly through EAP-WSC messages for the registration exchange, within the broader WPA and WPA2 protocols. This compatibility allows WPS to configure PSKs that enable seamless adoption of WPA/WPA2-secured associations post-enrollment.

Protocol Operations

Wi-Fi Protected Setup (WPS), also known as Wi-Fi Simple Configuration (WSC), employs a structured protocol for device enrollment that begins with discovery and proceeds to secure credential exchange between the enrollee (the device seeking network access) and the registrar (the entity providing credentials). The core protocol leverages the Simple Service Discovery Protocol (SSDP) for initial discovery when using external registrars, utilizing SOAP messages over UDP on port 1900 to locate compatible registrars, followed by HTTP-based communication for subsequent configuration steps. This out-of-band or in-band approach ensures interoperability across Wi-Fi devices, as defined in the Wi-Fi Alliance's specifications. The enrollment sequence consists of an eight-message exchange (M1 through M8) carried within the Extensible Authentication Protocol - Wi-Fi Simple Configuration (EAP-WSC) method, which integrates with the IEEE 802.1X authentication framework to facilitate authenticated setup over the wireless medium. In M1, the enrollee initiates the process by sending its device capabilities, UUID, manufacturer details, a random nonce (N1), and Diffie-Hellman public key (PKE) to the registrar. The registrar responds in M2 with its own capabilities, a Diffie-Hellman public key (PKR), nonces (N1 and N2), and an authenticator derived using HMAC-SHA-256. In PIN mode, the enrollee then transmits its computed hashes (E-Hash1 and E-Hash2, derived from the device password PIN using PSK1/PSK2) and an authenticator in M3. The registrar replies in M4 with its hashes (R-Hash1 and R-Hash2), initial key-wrapped secrets (R-S1), and an authenticator, validating the first half of the PIN. Subsequent messages (M5 through M7) involve the enrollee sending key-wrapped response secrets (E-S1 in M5, E-S2 and config data in M7), the registrar providing key-wrapped second secrets (R-S2 in M6) and final network credentials (such as the pre-shared key or enterprise authentication details in M8), with authenticators in each. This sequence ensures mutual authentication and secure credential transfer without exposing sensitive data in plaintext. Key generation in the protocol relies on Diffie-Hellman key agreement to establish a shared secret between the enrollee and registrar during the M1-M2 phase, from which AuthKey and KeyWrapKey are derived using HMAC-SHA-256; a symmetric session key is then used to encrypt credentials via AES-CBC key wrap in M4-M8. The process incorporates HMAC-SHA-256 for authenticators in each message to verify integrity and authenticity, binding the exchange to the initial nonces and device attributes. For modes like PIN or push-button, the protocol briefly references registrar and enrollee roles, such as validating the PIN-derived hashes in M3 and M4 before proceeding. In PIN mode, the Device Password (8-digit PIN) is used to derive PSK1/PSK2, which compute the E-Hash/R-Hash values to prove knowledge of the PIN without transmitting it directly. Error handling is embedded throughout the to maintain robustness, including provisions for negative acknowledgments (NACK) in response to invalid messages, such as mismatched authenticators or incorrect PIN hashes, which trigger session resets without revealing underlying secrets. Timeouts are enforced, typically with retransmission attempts limited to two per message and overall session durations capped at around two minutes to mitigate denial-of-service risks; if a timeout occurs or an invalid PIN is detected early (e.g., during M3/M4 validation), the protocol aborts the exchange and requires re-initiation via user action like re-entering the PIN or pressing the . These mechanisms ensure graceful failure while preserving security, as detailed in the Wi-Fi Alliance's operational guidelines.

Band and Radio Selection

Wi-Fi Protected Setup (WPS) supports dual-band operation, enabling the negotiation of frequency bands between 2.4 GHz (compatible with 802.11b/g/n standards) and 5 GHz (compatible with 802.11a/n/ac standards) based on the access point's () capabilities and the client's preferences. This allows devices to connect on the most suitable band for performance and range, with multi-radio APs advertising their supported bands via the RF Bands attribute in and response frames. During the setup process, the enrollee (the device joining the network) initiates band negotiation by querying the 's radio modes in the M1 message of the WPS protocol exchange, which includes the enrollee's own RF Bands attribute to indicate its supported frequencies. The (typically integrated in the ) responds in the M2 message with details of the supported bands using the RF Bands attribute, specifying values such as 2.4 GHz, 5 GHz, or both for dual-band APs. This exchange ensures compatibility assessment before credential provisioning. Configuration of the selected band occurs automatically by matching the overlapping capabilities of the enrollee and , prioritizing higher-performance options like 5 GHz when possible, though user override may be available through the device's for specific band preferences. The security credentials (such as /WPA2 PSK) generated during WPS are then applied exclusively to the chosen band, ensuring secure operation on that radio. Support for 5 GHz bands was incorporated into WPS revisions around 2009, coinciding with the widespread adoption of 802.11n for dual-band devices, enhancing compatibility with emerging multi-band hardware. In the context of 6E introducing the 6 GHz band, WPS handling remains limited, as the protocol has not been updated for full integration, contributing to its overall deprecation in favor of more robust modern standards.

Security Vulnerabilities

PIN Authentication Flaws

The PIN authentication method in Wi-Fi Protected Setup (WPS) relies on an 8-digit (PIN) entered by the user to establish a secure between a client and an access point (). A fundamental design weakness lies in the 's validation process, which treats the PIN as two independent 4-digit halves rather than a single 8-digit value. This separation occurs during the exchange, where the verifies the first half (digits 1-4) before proceeding to the second half (digits 5-8), allowing an attacker to brute-force each portion sequentially. As a result, the effective key space is reduced from 10^8 possible PINs to approximately 10^4 attempts for the first half and 10^3 for the second half, totaling around 11,000 trials in the worst case. Compounding this issue is the vulnerability in the PIN's checksum mechanism, which uses a simple Luhn-like algorithm to generate the eighth digit based on the preceding seven. The is computed by multiplying every second digit starting from the right (least significant) by 3, summing all values, and setting the eighth digit to (10 - (sum % 10)) % 10 to make the total sum 10 equal to 0. This deterministic computation enables attackers to predict the eighth digit offline once the first seven are guessed, further shrinking the search space for the second half to only 1,000 possibilities instead of 10,000. The 's predictability stems from its reliance on basic without additional , making it unsuitable for cryptographic security. WPS devices, particularly APs acting as registrars, generate and display an internal 8-digit PIN for use in the authentication process, often printed on the device label or accessible via its . However, the protocol's exposes this internal PIN to partial validation flaws: after approximately 11,000 attempts on the first half, the AP leaks of its correctness through differences in the error messages or message hashes (E-Hash1), allowing attackers to confirm success without revealing the full PIN immediately. This information leakage occurs because the protocol does not uniformly reject invalid first halves, instead providing distinguishable failure modes that narrow down possibilities efficiently. These flaws were first publicly detailed by security researcher Stefan Viehböck in December 2011, who demonstrated the vulnerabilities through analysis of the WPS protocol implementation across multiple devices. His work highlighted how the combination of halved validation and weak rendered the PIN method fundamentally insecure against determined offline or brute-force efforts, prompting widespread advisories from organizations like US-CERT and .

Brute-Force Attack Vectors

Brute-force attacks on Wi-Fi Protected Setup (WPS) exploit the PIN method's inherent weaknesses, enabling attackers to recover the 8-digit PIN and derive the /WPA2 , thereby compromising the network. These attacks leverage the protocol's lack of and the separate verification of the PIN's first and second halves, as detailed in the underlying flaws. In the online variant, an attacker within radio range interacts directly with the access point by transmitting guessed PINs during the WPS . The design flaw allows confirmation of the first four digits after up to 10,000 attempts, and the remaining three digits (with the eighth as ) up to 1,000 attempts. In , each attempt takes 1-3 seconds due to message exchanges and delays, extending the total time to 4-10 hours in the worst case for unpatched devices without lockout mechanisms. The offline attack mitigates interaction requirements by capturing the initial M1-M3 messages of a WPS attempt through packet sniffing, then performing the brute-force computation locally using the revealed and Diffie-Hellman public keys. Tools such as Reaver automate this process, enabling an attacker to pause and resume the assault without maintaining constant proximity to the access point after the capture . This method remains effective against devices lacking WPS lockouts, with the computational burden shifted to the attacker's for rapid PIN recovery. A specialized offline variant, known as the Pixie Dust attack, was disclosed in 2014 by researcher Dominique Bongard and targets implementations with low-entropy Diffie-Hellman key generation in and chipsets. By exploiting predictable nonces in the captured messages (E-S1 and E-S2), attackers can solve for the PIN algebraically in minutes or even seconds, bypassing traditional brute-force entirely. This affects a significant portion of routers from major vendors produced between 2008 and 2014, particularly those using vulnerable . These vectors achieve near-100% success rates on susceptible without mitigations like PIN lockouts or . Early assessments following the 2011 disclosure indicated that the majority of consumer routers—estimated at up to 90% in some 2012 analyses—remained vulnerable due to incomplete patching by manufacturers.

Physical and Implementation Risks

The Push Button Configuration (PBC) method in Wi-Fi Protected Setup (WPS) relies on physical or virtual button activation to initiate a brief enrollment window, but this design exposes networks to tangible -based risks. An attacker with physical access to the access point can simply press the WPS button to start , enabling their device to connect without needing credentials during the active period. Furthermore, once activated, PBC opens a two-minute interval in which any proximate device—authorized or not—can join the network, heightening the chance of unauthorized enrollment in shared or unsecured environments. Compounding these issues, numerous routers produced in the , particularly consumer models from major vendors, were shipped with WPS enabled by default, leaving users vulnerable to opportunistic physical or proximity-based exploits without initial configuration changes. This default setting facilitated drive-by attacks in public or semi-public settings, such as cafes or apartment complexes, where attackers could exploit accessible hardware interfaces or the lack of user awareness to initiate unauthorized connections. Vendor-specific implementation flaws further amplified these physical and environmental weaknesses in early WPS deployments. Prior to 2012, many devices omitted on authentication attempts, allowing repeated without delays that could deter persistent physical tampering. Similarly, some implementations employed weak for dynamic PINs or associated nonces, enabling attackers to predict or rapidly derive codes through offline analysis after gaining temporary physical or interface access. Integration with Universal Plug and Play (UPnP) for external registrars introduced additional implementation risks, as this feature permits remote configuration of WPS parameters over the network. If firewalls are misconfigured to expose UPnP services to the wide-area network, attackers can impersonate registrars and initiate without physical proximity, bypassing intended hardware controls.

Current Status and Legacy

Deprecation Trends

Following the security vulnerabilities disclosed in 2011, the acknowledged the flaws in WPS and revised its test plan in to require rate-limiting on PIN attempts in all newly certified devices, thereby reducing the feasibility of brute-force attacks. Major router vendors quickly adapted by disabling WPS by default or issuing strong recommendations against its use. For instance, urged users to disable WPS entirely on affected devices starting in to eliminate exposure risks. incorporated safeguards like temporary lockdowns after repeated failed PIN attempts and explicitly advises disabling the PIN method to prevent exploitation. Adoption of WPS declined markedly in the years after these responses, reflecting broader industry shifts toward enhanced security. A 2015 wireless LAN war driving survey in revealed that only 28.82% of surveyed access points had WPS enabled, down from 34.08% in 2014, signaling reduced reliance on the feature amid growing awareness of its risks. deprecated WPS support starting in version 9 (2018), while the introduced Wi-Fi Easy Connect in 2018 as a secure QR code-based alternative and continues to support WPS for legacy compatibility with recommendations to disable it where possible. In networks, WPS usage was effectively phased out around 2020, with vendors like calling for its complete removal to prioritize secure onboarding methods. Despite these trends, WPS persists in legacy hardware for with older devices, though modern updates from vendors typically disable it by default or provide straightforward options to lock it out. This residual support underscores the gradual transition away from WPS, ensuring minimal disruption while emphasizing security in updated systems.

Alternatives in Modern Wi-Fi Standards

Modern Wi-Fi standards have introduced several alternatives to Wi-Fi Protected Setup (WPS), addressing its security shortcomings through more robust authentication and provisioning mechanisms. In WPA3, released in 2018 by the , the (SAE) protocol serves as a key component for personal networks, enabling a secure that authenticates devices without relying on vulnerable PINs or push-button methods. , based on the handshake, provides and resists offline dictionary and brute-force attacks by deriving unique session keys for each connection. Complementing SAE, WPA3's Opportunistic Wireless Encryption (OWE) enhances security for open networks by automatically encrypting traffic between devices and access points without requiring user credentials, using to establish per-client encryption keys. This approach mitigates risks in public hotspots, where traditional open networks offered no protection. OWE is defined in 8110 and integrated into WPA3 to promote encrypted communications by default. As a direct successor to WPS, the Device Provisioning Protocol (DPP), introduced by the in 2018, facilitates secure device onboarding using out-of-band methods like or tags, eliminating the need for shared secrets vulnerable to brute-force attacks. DPP employs for authentication, where a configurator device (e.g., a ) bootstraps the enrollee (e.g., an device) with network credentials, ensuring and key establishment. Easy Connect, the consumer-facing implementation of DPP, simplifies setup for headless devices by allowing users to scan a to provision access without manual password entry. By 2025, WPA3 has become mandatory for Wi-Fi 6E and Wi-Fi 7 certifications, particularly in the 6 GHz band, driving widespread adoption in new routers and client devices to ensure baseline . WPS has been phased out in modern hardware, with manufacturers like deprecating it in Android 9 and replacing it with DPP-based methods in and later versions; iOS ecosystems rely on alternative provisioning like for similar IoT setups, though native DPP remains limited. As of February 2025, 23 DPP-certified devices from 6 vendors were available, indicating growing but limited adoption. These alternatives offer significant advantages over WPS, including cryptographic in SAE to protect past sessions from key compromise, elimination of brute-force risks through asymmetric in DPP, and improved for multi-device environments like smart homes. By prioritizing secure, user-friendly enrollment without legacy vulnerabilities, WPA3 and DPP enable safer ecosystems, particularly for IoT proliferation.

References

  1. [1]
    None
    ### Official Description of Wi-Fi CERTIFIED for Wi-Fi Protected Setup
  2. [2]
    Wi-Fi Protected Setup PIN Brute Force Vulnerability - Cisco
    Jan 11, 2012 · A weakness in the protocol affects all APs that have a static PIN, and may allow an unauthenticated, remote attacker to use brute force ...
  3. [3]
    [PDF] Wi-Fi CERTIFIED™ for Wi-Fi Protected Setup - O'Reilly Resources
    The Wi-Fi Protected Setup certification program is based on a specification that was developed by the Wi-Fi Alliance to enhance the user's out-of-box experience ...
  4. [4]
    Wi-Fi Protected Setup (WPS) Need To Know - SmallNetBuilder
    The Wi-Fi Alliance provided no information, either, just an query via ... "The Wi-Fi Protected Setup specification mandates that all Wi-Fi CERTIFIED ...<|control11|><|separator|>
  5. [5]
    Wi-Fi Alliance unveils Wi-Fi Protected Setup program - Telecompaper
    Aug 17, 2006 · The Wi-Fi Alliance has announced Wi-Fi Protected Setup as the name for its upcoming consumer ease-of-use program, formerly code named 'Wi-Fi ...
  6. [6]
    Safe Wi-Fi could be on your doorstep soon - The Register
    Aug 20, 2006 · Sun 20 Aug 2006 // 08:02 UTC. The Wi-Fi Alliance has officially announced Wi-Fi Protected Setup (WPS) in an attempt to to make safe Wi-Fi easier ...
  7. [7]
    Wi-Fi Protected Setup Specification 1.0h | PDF - Scribd
    This document contains specifications for Wi-Fi Protected Setup (WPS), which aims to provide easy and secure setup of wireless networks.
  8. [8]
    Wi-Fi Protected Setup Details Announced
    Wi-Fi Protected Setup (WPS) will use push-button or PIN to simplify secure network setup: The Wi-Fi Alliance has rolled out its long-expected and openly ...
  9. [9]
    [PDF] The State of Wi-Fi Security - Huihoo
    The Wi-Fi Alliance plans to extend Wi-Fi Protected Setup certification testing in 2010 to include the ad-hoc mode. Figure 1. The Wi-Fi. Protected Setup logo.<|control11|><|separator|>
  10. [10]
    Wi-Fi Protected Setup Best Practices v2.0.2 - Scribd
    Wi-Fi Protected Setup™ Protocol. and Usability Best Practices. Version 2.0.2. Wi-Fi Alliance® December 2020. The following document, and the information ...
  11. [11]
    [PDF] Wireless Spreading of WiFi APs Infections using WPS Flaws
    WPS defines two additional out of band methods based on NFC and USB, which are less popular and not covered by the WPS certification. In December 2011,.
  12. [12]
    [PDF] SIMPLE & SECURE WI-FI CONFIGURATION ... - UC Berkeley EECS
    Dec 1, 2013 · Wi-Fi Protect Setup (WPS) is a Wi-Fi configuration protocol that provides a secure and simple. Wi-Fi setup process by PIN method and Push-Button ...Missing: structure | Show results with:structure
  13. [13]
    [PDF] Wireless Spreading of WiFi APs Infections using WPS Flaws
    The PIN-based method is mandatory for all the WPS certified devices, while PBC is optional for the wireless clients but mandatory for the APs. WPS defines ...Missing: advantages | Show results with:advantages
  14. [14]
    Wi-Fi Protected Setup (WPS) Enrollment Configuration on ... - Cisco
    Dec 12, 2018 · WPS requires either a device PIN code, usually an 8-digit number, or a push button event to allow a new WPS capable client to join the network.
  15. [15]
    readme-wps - MIT
    ... (2 minute window). wpa_supplicant is notified of the local button event ... Similarly, [WPS-PBC] is shown if PBC mode is in progress. GUI programs can ...
  16. [16]
    [PDF] Secure In-Band Wireless Pairing - USENIX
    If there are requests from more than one enrollee, the registrar signals a session overlap error and refuses to perform the PBC registration protocol, requiring ...
  17. [17]
    Wi-Fi CERTIFIED Wi-Fi Protected Setup™ adds NFC tap-to-connect ...
    Apr 9, 2014 · Wi-Fi Protected Setup now offers users three easy setup methods – Personal Identification Number (PIN), Push-Button Configuration, and NFC. With ...
  18. [18]
    Wi-Fi Simple Configuration — ndeflib 0.3.2 documentation
    One of the three Wi-Fi Protected Setup methods uses NFC as an out-of-band channel to provision Wi-Fi devices with the network credentials (see also this short ...
  19. [19]
    WPS Parameters Wifi NFC and Android - Stack Overflow
    Mar 20, 2012 · Handover-NFC. On Page 23, a wps record is saved and in the content column are defined "constants". For example WPS Attribute: SSID is given ...
  20. [20]
    [PDF] Brute forcing Wi-Fi Protected Setup
    Dec 26, 2011 · “Wi-Fi Protected Setup™ is an optional certification program from the Wi-Fi Alliance that is designed to ease the task of setting up and ...
  21. [21]
    [PDF] DeviceProtection:1 Service
    Feb 24, 2011 · The PushButton Configuration, or PBC, method is a commonly-used WPS introduction method that requires the user to push a setup button within ...
  22. [22]
    Wi-Fi Protected Setup | Wi-Fi Features - Developer Docs - Silicon Labs
    It should also be noted that the AP and a client device may change roles (i.e., AP acts as an Enrollee and client device as a Registrar) when WPS is used to ...Missing: Specification | Show results with:Specification
  23. [23]
    [PDF] Wi-Fi Protected Setup (WPS)
    Wi-Fi Protected Setup (WPS) is a standard for easy and secure wireless network setup, simplifying security configuration. The most common mode is Push Button ...
  24. [24]
    [PDF] New attacks on Wi-Fi Protected Setup
    Wi-Fi Protected Setup (WPS) is a network security standard that ... MAC address and Diffie-Hellman key exchange protocol ... Hash2 and sends it as M3 message. As ...
  25. [25]
    US8447978B2 - Wireless communication method using WPS
    Then, the access point 2 transmits the message M8, containing the authentication-response and credential, to the station 3 (Step S43). Thereafter, on receiving ...<|control11|><|separator|>
  26. [26]
    It is time to deprecate and replace Wi-Fi (un)Protected Setup!
    Jul 13, 2021 · The Wi-Fi Alliance promoted WPS, as recently as 2020, as being a trade-off particularly suitable for the home and small office segments. WPS is ...
  27. [27]
    VU#723755 - WiFi Protected Setup (WPS) PIN brute force vulnerability
    Dec 27, 2011 · An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network.Missing: source | Show results with:source
  28. [28]
    Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack | CISA
    Jan 23, 2013 · An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain ...Missing: December 2011
  29. [29]
    t6x/reaver-wps-fork-t6x - GitHub
    Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
  30. [30]
    [PDF] Offline bruteforce attack on WiFi Protected Setup - Archive
    ▫ Wi-Fi Protected Setup (WPS) or Wi-Fi Simple Configuration (WSC). ▫ „A ... ▫ Do the WPS protocol up to message M3. ▫ Get the Nonce from M1.
  31. [31]
    Wifi Protected Setup vulnerable - ScienceDirect.com
    ... pin-brute-force-vulnerability/ . Craig Heffner's blog,/dev/ttyS0, is at: www.devttys0.com/blog/. Recommended articles. Cited by (0). View Abstract. Copyright ...
  32. [32]
    WPS - WiFi Protected Setup - RouterSecurity.org
    WPS, after all, stands for Wireless Protected SETUP. These statuses must indicate if the initial setup has been done or not.
  33. [33]
    WPS on Router: What It Is and Why It Might Not Be Safe | Learn
    WPS has known security vulnerabilities and is not recommended for most home networks. It's best to disable it. How do I turn off WPS? Log into your router's ...
  34. [34]
    Suggested secure routers - RouterSecurity.org
    WPS should be disabled by default, or better yet, not even available. Wi-Fi encryption should default to WPA2-AES. Etc. etc. On a related point, if you need to ...
  35. [35]
    A Basic Guide to Router and Wireless Security for Regular People
    Jul 8, 2024 · In many cases, the ISP router has default settings enabled that could compromise user security. For example, many ISP routers (and shipped ...Use The Router's Firewall... · Use Sufficient Wi-Fi... · Keep Router Firmware Updated
  36. [36]
    How to discover Wi-Fi WPS password in one second - Security Affairs
    Aug 31, 2014 · The brute-force attack exploits weak randomization for the generation of a key used to authenticate hardware PINs on some implementations of WPS ...
  37. [37]
    Wi-Fi Alliance responds to WPS security flaw, many still vulnerable ...
    Mar 6, 2012 · It's been over two months since it was discovered that Wi-Fi Protected Setup (WPS) is vulnerable to a brute force attack that could give ...Missing: percentage | Show results with:percentage
  38. [38]
    Cisco: Disable WPS in vulnerable Wi-Fi devices - Fierce Electronics
    Jan 16, 2012 · Therefore Cisco has advised that the WPS feature be disabled altogether to prevent potential attacks. This has been the common advice from ...
  39. [39]
    How does my NETGEAR router protect me from Wi-Fi Protected ...
    Jul 7, 2025 · NETGEAR routers enter a temporary lockdown after failed WPS PIN attempts. NETGEAR recommends disabling the WPS PIN method to protect against ...
  40. [40]
    [PDF] Report on Wireless LAN War Driving Survey 2015 Hong Kong
    The percentage of AP with WPS enabled is dropping from 34.08 to 28.82 percentages. There is known security vulnerability in WPS. It has some improvement by ...
  41. [41]
    Wi-Fi Easy Connect | Android Open Source Project
    Wi-Fi Easy Connect was introduced by the Wi-Fi Alliance (WFA) as an alternative to Wi-Fi Protected Setup (WPS). WPS was deprecated in Android 9. Wi-Fi ...
  42. [42]
    Wi-Fi Gets More Secure: Everything You Need to Know About WPA3
    Sep 6, 2018 · Simultaneous Authentication of Equals (SAE) is a new method of authenticating a device trying to connect to a network.
  43. [43]
    WPA3 Deployment Guide - Cisco
    Wi-Fi Alliance mandated WPA3 for 6 GHz band and Wi-Fi 7 to ensure modern security and protect from vulnerabilities and provide a secure foundation for new ...Missing: WPS DPP
  44. [44]
    (PDF) Security analysis of the Wi-Fi Easy Connect - ResearchGate
    Feb 7, 2025 · Wi-Fi Easy Connect is a protocol introduced by the Wi-Fi Alliance, as the core replacement of the Wi-Fi Protected Setup (WPS).Missing: deprecation | Show results with:deprecation