Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks. The external registrar PIN exchange mechanism is susceptible to brute-force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network.
WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.
An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.
An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.