Is my router vulnerable if WPS is enabled but WPS pin code is disabled?

If Netgear has implemented it properly, WPS Push-button-connect should be secure. However, I have no idea whether Netgear has implemented it properly, and if they haven't, you might be insecure.

The known attack on WPS is described in this paper:

  • Brute forcing Wi-Fi Protected Setup, Stefan Viehböck, 2011.

For another great explanation, see also:

  • How The WPS Bug Came To Be, And How Ugly It Actually Is, Dan Kaminsky, 2012.

The attack described there breaks the PIN-based forms of WPS. It is not effective against a properly implemented version of WPS Push-button-connect (PBC), because a remote attacker cannot physically push the button your router, and WPS PBC requires someone to press the button before it can proceed.

Therefore, if Netgear has implemented WPS PBC correctly, and has properly disabled all the other forms of WPS, you should hopefully be safe (fingers crossed).

(Do make sure you are running the latest version of the Netgear firmware. The WPS attacks were only discovered less than a year ago, so versions of the firmware written before the attack was discovered are very likely to be vulnerable.)

That said, router vendors have screwed this stuff up before. The bad track record, and the fact that it is not easy for an average user to tell whether they've finally gotten it right this time, does give some room for concern. I think it would be understandable if this makes some security folks throw up their arms in disgust and say "oh, to heck with it, just turn off WPS, I don't trust the router vendors to get this right".

So, how much do you trust Netgear to not screw this up?