How seven mesh routers deal with Wi-Fi Protected Setup (WPS)

digital mesh
Scott Maxwell via Flickr (Creative Commons BY or BY-SA)

The recent wave of new mesh router systems has brought with it changes besides the obvious increase in Wi-Fi range. For example, these mesh routers are more likely to insist on WPA2-AES encryption, as many have dropped support for the less secure WEP and WPA options. Not all of them, but many.

Here I take a look at another insecure router technology, WPS (Wi-Fi protected setup) and how these new mesh routers deal with it. 

WPS is an alternate way of gaining access to a Wi-Fi network that does away with having to know the SSID (network name) and password. Much of what you read about WPS is incomplete, as it supports at least four different modes of operation.

One of these modes, known as PIN authentication, lets a Wi-Fi device get on a network by providing the PIN code of the router. Any router supporting WPS has a PIN code on the label, all you need do is turn the device over to see it. Often, the WPS PIN code can not be changed.

WPS got a big public black eye at the end of 2011, when it came out that the PIN authentication method was designed in such a way that it was vulnerable to brute force guessing. I explain the details on my RouterSecurity.org site, but the end result was that a router supporting WPS could be breached with a maximum of 11,000 PIN code guesses.

The real scandal is what happened in the subsequent five years: nothing. Rather than be mandated out of existence, WPS PIN code is still a supported thing. 

But, finally, the latest crop of mesh routers are doing something about this. I looked at seven of them and found that five do not support WPS at all. One supports WPS, but not the PIN code method, and the last one is so poorly documented, its not clear exactly which modes of WPS operation are supported. 

GOOD NEWS

The five mesh routers that do not support WPS are Eero, Google Wifi, Ubiquiti AmpliFi, Plume and Luma.

An Eero tech support article, Frequently asked security questions, says "eero doesn't support WEP, WPA, or WPS, as these protocols are known to be insecure." 

A Google tech support article, Google Wifi security features, says "WPS, a mechanism that lets a device join a wireless network without entering a password, is also not supported for security reasons."

A Plume tech support article, Does Plume support WPS?, says "Plume does not not support WPS as it was discovered to be a less secure procedure for establishing a WiFi network."

A Luma blog posting by Yasin Jabbar, What is Wi-Fi Protected Setup (WPS)?, points out the security issue with WPS, then concludes with "Our Luma WiFi routers natively don't support WPS." 

I could not find anything from Ubiquiti about WPS, but I have used and tested one of their AmpliFi routers and found no indication of WPS support.

BAD NEWS

Most reviewers agree that the Netgear Orbi system offers the best Wi-Fi for consumers. 

UPDATE: May 3, 2017. Based on public information, it was not clear which types of WPS were supported by the Orbi and the text below originally reflected that. Someone at Netgear was kind enough to verify that it only supports the push button mode of operation for WPS, so the text below has been revised. 

A Netgear Knowledge Base article, Does my Orbi WiFi System support Wi-Fi Protected Setup (WPS)?, says that "You can use the Sync button on your Orbi router and satellite to connect devices that support WPS."  Page 23 of the Orbi WiFi System User Manual (PDF) also discusses using the Sync button for Wi-Fi authentication. 

Rather than dropping WPS entirely, Netgear supports the push button mode of WPS authentication. In this mode, you push a button on the router, then you have a minute or two to push a WPS button on a Wi-Fi device to connect it to the network. This mode of operation was intended for use with Wi-Fi devices that don't have a real or virtual keyboard. 

The security of push button authentication is far better than PIN codes, which the Orbi does not support. However, it does mean that anyone that can physically touch an Orbi device can get on its network. The manual says nothing about whether WPS can be disabled, so we have to assume it can not.

Finally, we come to Linksys and their Velop mesh system. The Velop User Guide (PDF) makes a bad first impression; not only is it undated, there is no reference to a firmware release number either. The Netgear manual that I referred to above clearly shows that it was updated in March 2017. My experience has been that manuals without a date or release number are issued and abandoned. That is, the manual will probably not be updated to reflect changes in the firmware going forward.

Page 17 of the Velop User guide describes how to "Connect a Device with WPS" and says "Wi-Fi Protected Setup allows you to easily connect wireless devices to your Wi-Fi without manually entering security settings." Easy has always been the mortal enemy of secure.

The screen shot of the mobile app on page 17 shows it saying "WPS is a secure way for basic users to connect devices without complicated authentication details." No one thinks WPS is secure. 

From the screen shot, it looks as if WPS can be disabled but the manual does not go into this at all. Most importantly, it is not at all clear which types of WPS are supported by the Velop system. 

My favorite router, the Pepwave Surf SOHO, does not support WPS. That's partly why it made such a good first impression on me back in 2013.

UPDATE: April 30, 2017. Added an explanation of the WPS push button method.

UPDATE: August 12, 2017. I have been testing Ubiquiti AmpliFi routers and mesh points with firmware version 2.2.2. AmpliFi now enables WPS and the app does not let you disable it. There is still no documentation at all from the company about WPS. 

FEEDBACK
Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon