The Wi-Fi Alliance introduced the WPS standard in 2006 as simpler method of connecting a new device to a network. While a good idea in theory, WPS makes for a less secure Wi-Fi network overall.
These security concerns may be part of the reason why Google removed support for WPS in Android P. With previous versions of Android, users could initiate a WPS connection manually. However, the ability to do so is gone on Android P.
Furthermore, some users on the Google Issue Tracker noticed that code strings related to WPS were deprecated (no longer supported). This has lead to speculation that Google won’t bring back WPS in the official release.
A Googler responded to the issue tracker thread, saying that the development team would look into it and provide further clarification. However, the main issue in the thread was that Google deprecated the code without documenting it. For developers that utilized WPS, it meant some things stopped working with no explanation why.
What makes WPS insecure
Whatever the development team turns up, its likely that WPS won’t come back. Many newer routers are abandoning WPS because of the security issues surrounding the standard.
WPS can work one of two ways. The first way is arguably secure as it requires physical access to your router. Some routers have a button that you can push to connect a device. This initiates a connection point that only lasts a few minutes, leaving a narrow window of time for malicious attackers to gain access to your network. Additionally, it means an attacker would need physical access to your router in order to initiate the connection.
The second method is much less secure and is mandated by the WPS standard. The method, which uses an eight-digit PIN, leaves your router constantly exposed to attack. Because the WPS standard requires PIN, even if your routers uses the more secure push-button method, it has a PIN as well.
The PIN method isn’t secure because of the way routers check the PIN. When verifying the eight digit PIN, the router checks the first four digits followed by the second four. The PIN is susceptible to a ‘brute force’ attack, which basically tries every possible combination until it locates the right one. Computers perform these attacks, which means a large volume of guesses can be processed incredibly quickly.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Matthew Green, an assistant professor and cryptographer at the John Hopkins Information Security Institute, did some math and posted the results on Twitter earlier this year. While the tweet was about the time it took new software called GrayKey to break a PIN code on iOS, the numbers give you an idea why PIN isn’t secure for WPS either. The times for cracking a four digit pin differ based on software, but overall a four digit pin will be significantly easier to crack than a six or eight digit pin.
WPS uses an eight-digit PIN, but it checks the first four and second four individually. This means that instead of taking over a month to crack the PIN, software could probably do it in less than a day, maybe even in a few hours. An attacker would have to brute force the first four digits and then could move onto the second set of four. Most routers don’t time out after receiving an incorrect PIN, allowing attackers to submit guesses over and over again.
Unfortunately this is what makes WPS so insecure. Because PIN is available all the time, attackers can perform brute force attacks at will and break into your network easily.
It’s good to see router manufacturers moving away from the standard. With Google ending support for it in Android P, it likely means an end to the standard as well — and victory for secure Wi-Fi everywhere.