What's new

Has the WPS vulnerability been patched/fixed in Asus AC and AX routers?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Qbcd

Regular Contributor
Hi,

I can't find information about this anywhere online. You know how WPS could be exploited by using software called Reaver to brute force the password within hours or days? Subsequently there was another WPS vulnerability where they could extract the PIN from a single inquiry by using the router's algorithm for number generation. Have these issues been patched in Asus routers? If so, in what way? Every article online still talks about how vulnerable WPS is, but when you ask people in the know they'll say it's been mostly fixed. But I can't find any specific information.

I recently set up a router for a friend and I forgot to disable WPS. I told them to disable it, but they probably won't do it... So I'm wondering if it's still an issue.

I'm asking for stock Asus firmware, not Merlin. I don't have access to the router anymore, I just want peace of mind.

Thank you.
 
Last edited:
I didn't know it was possible to fix this. I still consider using WPS as equivalent to leaving your front door open and with a flashing red sign above it too.
 
WPS must be disabled after adding AiMesh nodes, so among the last things I do here.

OE
 
I didn't know it was possible to fix this. I still consider using WPS as equivalent to leaving your front door open and with a flashing red sign above it too.

I thought so too but when I expressed that view in another online community many people laughed at me and insulted me, saying it had been patched a long time ago. No one really offered specifics other than the AP locking you out after x failed attempts and/or having progressively longer lockout periods, and possibly even turning off WPS altogether after x failed attempts. Some routers may not turn it off, but force you to reset the router after x attempts (but then there are DoS attacks that can force a reset and then continue the attack...). So these are generally the kinds of mitigation methods I've read about, but again, I could never get specifics about Asus routers or any brand.

There's another type of WPS attack called pixie dust which doesn't brute force but rather can guess the PIN in seconds after just one communication with the AP based on other information that lets it extrapolate the algorithm the AP used to generate the PIN. That I believe can be patched and I'm hoping it has been patched in new Asus routers at least... But that's just my assumption because again... couldn't find anything specific.

But I guess WPS is considered mostly safe now on new routers. I'm just upset that I forgot to turn off WPS on the router I set up. I wanted to ask the owner if they needed it first, but never got the chance so I decided to leave it on and ask them to turn it off later -- big mistake because they couldn't care less. Now I feel like I didn't do my job properly. :(
 
Last edited:
Shock! You're asking other forums for solid Wi-Fi advice? I don't think that unicorn exists. :)

WPS is not safe on any router. Don't believe the myths.
 
Shock! You're asking other forums for solid Wi-Fi advice? I don't think that unicorn exists. :)

WPS is not safe on any router. Don't believe the myths.

It was a reddit thread and I had to delete it because of how much hate I was getting. And also I didn't want to spread misinformation in case they were right...

I agree, I always turn it off and then instruct the owner that if they ever need it they can turn it on temporarily and then off again.

But it's tricky when you're setting up a router for someone who knows nothing about WiFi or router settings and you know the settings you leave them with will be the settings they'll have until they buy a new router 10 years from now. So you don't want to limit functionality they might need. What if they buy a printer or some IoT device that can only connect via WPS, then the button won't work, they'll wonder why it's not working and then they may reset the router... and then not only will WPS be on but all the bad stock settings too.
 
What if, is not a good reason to do things properly, now.
 
I agree, I always turn it off and then instruct the owner that if they ever need it they can turn it on temporarily and then off again.
So if I want to connect a device via WPS, I can turn it on, connect the device, then turn it off and the device stays connected?
 
So if I want to connect a device via WPS, I can turn it on, connect the device, then turn it off and the device stays connected?

Yes. This is how AiMesh adds nodes. Once the guest learns the necessary security, they're in and WPS is no longer required.

OE
 
Just as a side note, Asus themselves indirectly admit that WPS poses a security risk if permanently enabled: Log into your router’s GUI / choose AiProtection menu / turn it on (if it’s off) / click “scan” for automated security assessment. As you can see, WPS is “green” only when disabled:
1607776562703.png
So I wouldn’t worry about the rudeness of the guys from Reddit. We shall wish them the best of luck with WPS on.
 
Just as a side note, Asus themselves indirectly admit that WPS poses a security risk if permanently enabled: Log into your router’s GUI / choose AiProtection menu / turn it on (if it’s off) / click “scan” for automated security assessment. As you can see, WPS is “green” only when disabled:
View attachment 28414
So I wouldn’t worry about the rudeness of the guys from Reddit. We shall wish them the best of luck with WPS on.

Yeah but I think that's mostly because the PIN is printed on the router... And anyone who gets that PIN has perpetual access to your network as long as WPS is on. What I'd really like to know is exactly what measures Asus has taken to prevent 1) The brute force attack and 2) The pixie dust attack. It can easily be tested, but I'm not gonna install all of that stuff and attack my own router to find out. My guess is they've fixed it since they make the highest end consumer routers out there, but... I'd still like to know.

I see you've turned on AIProtection, have you had any issues with sites not working or any other anomalies?

Also, you should change your password and encryption so it says "Very strong".
 
No issues with AiProtection so far.

Happy with strong :cool:
 
@Qbcd, you're guessing wrong. As proof, how many commercial/industrial installations allow WPS? Yes, zero.

Those attacks haven't been fixed. If they were fixable, they wouldn't be still called attacks.
 
@Qbcd, you're guessing wrong. As proof, how many commercial/industrial installations allow WPS? Yes, zero.

Those attacks haven't been fixed. If they were fixable, they wouldn't be still called attacks.

It's possible to fix the brute force attack by having progressively longer lockout periods and maybe after 10 tries totally turn off WPS. Then maybe if you tried to turn it on again manually in the GUI, you get a warning message and it only lets you turn it on for 10 minutes or something. There are ways. Unfortunately there is no mention of anything like that in the RT-AX58U manual, so I don't know what method(s) they use. Asus notoriously doesn't mention a ton of stuff in their manuals.

And the pixie dust attack is very much patch-able, it was a thing 5 years ago on older crappy routers, so I'm 99% sure it has been fixed in Asus routers, especially new ones, but... I can't confirm this.

I don't know why I keep researching this stuff, I mean I agree with you guys that of course WPS is best turned off, I'm just trying to make myself feel better about the aforementioned router I set up.

By the way, for enterprise WPS makes no sense because 1) One person getting the PIN ensures they have perpetual access to that AP, which is bad 2) People don't have physical access to the AP, so the button method makes no sense and 3) IT sets up all the printers and stuff so it makes even less sense to keep it enabled. They turn it on when they need to add a device that can't connect another way, then turn it off.
 
I'm wondering if there could be a compromise setting that disables using passcodes, but still lets you use the button. That would limit security to physical access.
 
I'm wondering if there could be a compromise setting that disables using passcodes, but still lets you use the button. That would limit security to physical access.

Some routers have that option, but Asus doesn't.
 
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top