Recently, a friend asked me why he keeps seeing strange cellphones in Windows file explorer under, ‘Network’. I checked his router and it had WPS enabled by default. I disabled it and we changed the WiFi password to something a little longer (>12 characters.) Now his network is free of strange devices.
WiFi Protected Setup (WPS) is an easy way to enable device access to a router using an 8-digit PIN. I can not stress this enough, it is insecure by design and you should disable WPS on your router now!
We have known since 2011, thanks to Stefan Viehböck, that brute-forcing WPS doesn’t require you to try 100,000,000 combinations (00000000 – 99999999). Even though it is an 8-digit PIN, it’s actually checked in two parts and the last digit is a checksum. This means the maximum number of attempts is 10,000 for the first half of the WPS key and 1,000 for the second half. With a maximum of 11,000 guesses required, a bad actor can easily gain access to your network. Again, you should disable WPS on your router.
Some router manufacturers have tried to strengthen WPS, but turning it off is still the best way to mitigate the threat. All of my devices remember my WiFi password, so typing it in when I get a new device is really not that inconvenient (even with a longer password, I’ll survive.) Disable WPS on your router, or you may end up seeing strange cellphones on your network.