This one feature on your home router can make your password useless

The situation

Has this ever happened to you? You are sitting watching a YouTube video or are just scrolling through your favorite social media platform and suddenly notice that your video starts to buffer or the posts take too long to load up. It feels as if someone is using your Wi-Fi network to download files that are large in size. You think this is strange because you did not give your Wi-Fi password to anyone, so how is someone able to use your network?

The culprit here is a feature known as WPS (WIFI Protected Setup). This is a feature that is enabled by default when you buy a brand new router.

What is WPS?

WPS, or Wi-Fi Protected Service, is a feature that was originally developed by CISCO in 2006 to make it easier for users who knew very little about WIFI security to connect their new devices to their new WIFI access point or router. This made it easier to connect devices, as users did not have to remember long and complicated passwords as they could just enter an 8-digit pin that they could find on a sticker usually placed under the router. This 8-digit pin was randomly generated from the factory and did not change throughout the whole life cycle of the product. This also made it easier to connect printers and security cameras.

The Vulnerability

The problem here is that because this comes pre-enabled by default, almost 90% of the routers still have it enabled even to this date. One other problem is that some routers don't have randomly generated pins and can have common pins like 12345678 or 00000000.

Since the pins do not change after the router is assigned a pin unless a user changes them, these pins stay the way they are. Because there are only 8 digits, an attacker would need only 11,000 combinations to find the correct pin. But if the pins are as common as mentioned above, it takes about 2 seconds to get the pin. Now, 11.000 would seem like a big number, but since all these attacks are automated and assuming 1 pin is tried every second, at that rate, it would only take around 3 hours for the pin to get guessed correctly.

As mentioned before, once the pin is found, there is no need to know the password as the Wi-Fi can be connected via only the WPS pin, but many hacking softwares also provide the password along with the WPS pin for added convenience. At this stage, anyone with a pin or password connects to your Wi-Fi network and uses it to download huge movie files or games, which can lead to a slowdown in network speed, as mentioned at the start.

Why is it not being fixed?

This type of technology cannot be fixed as it is designed in a way to make it easier for users to connect to the Wi-Fi networks. Solutions to eradicate this vulnerability will be mentioned towards the conclusion of this blog. Since it is made in such a way that it should be easy for users to connect multiple devices quickly and efficiently, it needs to have a short and memorable number, in this case, an 8-digit pin. Since it is so easy to exploit, it does not need any special equipment or a high-performance server or computer. This can very easily be done on a mobile phone with the appropriate tools and software.

How can we safeguard against this type of attack?

If you are not using the WPS functionality, it is much better to completely turn it off, as that eliminates any chance of an attack like this succeeding. On the other hand, if the WPS functionality is being used, it is advised to resort to some other form of connectivity or to change the pin in the router settings manually on a timely basis.

Conclusion

In conclusion, if WPS is enabled on an access point or a router, then the chances of the Wi-Fi access point being hacked are very high, regardless of whether there is a strong password to connect to the network. If you know your way around the router settings page, the WPS option should be disabled. Only try to do this if you have knowledge on how to turn WPS off, as changing some wrong option or setting might break the router's configuration and render it useless.