5

I have a question related to the WPS push-button capability on my router. I know that there is some material on the web about this question, but I haven't found anything that's current enough for my liking. Most posts are from 2011-2013.

I have a Netgear N600 router. It is running the latest firmware issued by Netgear for my model.

My router has a WPS button on it.

My router is in a secure location.

Here's my question:

Is my network as secure as my network password as long as I keep the WPS pin disabled, even if I keep the push-button capability of WPS enabled?

I understand, based on some things that I've read, that, when WPS first came out, there was a lot of concern about vulnerabilities of the pin-code functionality of WPS. However, it still isn't clear to me if the push-button feature of WPS is a vulnerability.

I'm asking because I'm imagining being able to combine a very secure WiFi password--one that is long, random, and of varied character sets--with the convenience of not having to type in the password on every device in my network. The imagined benefit is obvious--great security and convenience.

Daniel
  • 371
  • 1
  • 3
  • 4
  • I was watching an episode of security now on twit.tv and the protocol has vulnerabilities that make breaking it easy, and some implementation are more broken than others. – cybernard Mar 31 '16 at 01:13
  • explain "keeping pin disabled and enabling WPS". – Eibo Mar 31 '16 at 11:21
  • @Emadeddin WPS have two different ways of working. PIN, where you need to type the PIN. And PUSH, where you need to actually push the button. OP meant to disable PIN but enable PUSH. – The Illusive Man May 30 '16 at 10:28

1 Answers1

1

The short answer is your setup is relatively secure. The longer answer is there will still be vulnerabilities like devices being able to join a few minutes after the WPS push button is pushed. OR any other manufacturer flawed WPS implementation that brings other unknown risks.

So It is really better to disable WPS altogether. You should just use WPA2-PSK. It is hardly inconvenient as you only need to set up the login for each device only once. Even writing the long WPA2-PSK password on a post it and stick it to the router is more secure and almost as convenient as your current setup. Though many infosec guys will disapprove of this method. For me I save a picture of the password in my handphone and also on my desktop computer for easy reference.

John
  • 151
  • 5
  • Thanks for your response, @John. It is appreciated. I understand the risks of temporary vulnerability when the button is pressed. Do you have any theoretical knowledge of what software-based vulnerabilities may exist when only the push-button feature is enabled. I'm imagining that, as long as the PIN feature is truly inaccessible over the radio when it is disabled in the router's GUI, the only wireless vulnerability that would stem from my proposed setup is the time frame that the network is open when the WPS button is pressed. – Daniel Apr 01 '16 at 14:59
  • No, I don't have any to share. – John Apr 04 '16 at 05:07