Why Enabling WPS On Your Wi-Fi Network Is A Security Risk
When you think about home Wi-Fi and wireless security, technical concepts like antiviruses, encryption, and vulnerabilities often come to mind. Still, the simpler things usually end up causing the most significant problems. Some of the most successful attacks depend on things as uncomplicated as social engineering. Why bother writing complex malware with a decent chance of being caught by an antivirus if all you need to do is convince someone to click a link?
WPS, or Wi-Fi Protected Setup, is a function on your router meant to help make connecting to your Wi-Fi network easier without entering a password. There are two ways to use WPS. WPS works with a physical button or WPS Personal Identification Numbers (PIN), and neither is particularly safe, but there are different reasons why you'll want to avoid using each.
Where WPA (Wireless Protected Access) security makes you enter a password to access a network, WPS only requires users to enter an eight-digit PIN or press a physical button to access the network. The rest is taken care of by the router itself. WPS is much more convenient, but that convenience comes at the cost of security.
Why you should use WPA instead of WPS
The issue with WPS isn't that it makes social engineering easier or weakens the network encryption, but it simply makes it easier to access for attackers because of the nature of the WPS PIN. Compared to WPA, WPA 2, and WPA 3 Wi-Fi passwords, WPS PINs are far more susceptible to brute force attacks because they do not contain any letters, special characters, or formatting and cannot be longer than eight digits. Increased complexity and length are easy ways to make passwords more secure and resilient to brute force attacks. According to The U.S. Cybersecurity and Infrastructure Security Agency, a brute-force attacker can guess the WPS PIN in as few as four to ten hours, granting the attacker access to the network password and connected devices.
That's just considering the WPS PIN method, though. WPS push button comes with its own issues, which can make it more or less secure, depending on where your router is and who you allow into your home or business. Physical access is all that's necessary for a bad actor to gain access to a device with a WPS button, meaning WPS buttons are fine as long as you keep the router physically secured.
The safest action is to disable WPS and ensure it is disabled. Several routers don't disable WPS when the setting is turned off, it only makes the options inaccessible.