The recent wave of new mesh router systems has brought with it changes besides the obvious increase in Wi-Fi range. For example, these mesh routers ar
The recent wave of new mesh router systems has brought with it changes besides the obvious increase in Wi-Fi range. For example, these mesh routers are more likely to insist on WPA2-AES encryption, as many have dropped support for the less secure WEP and WPA options. Not all of them, but many.
Here I take a look at another insecure router technology, WPS (Wi-Fi Protected Setup) and how these new mesh routers deal with it.
WPS is an alternate way of gaining access to a Wi-Fi network that does away with having to know the SSID (network name) and password. Much of what you read about WPS is incomplete, as it supports at least four different modes of operation.
One of these modes, known as PIN authentication, lets a Wi-Fi device get on a network by providing the PIN code of the router. Any router supporting WPS has a PIN code on the label, all you need do is turn the device over to see it. Often, the WPS PIN code can not be changed.
WPS got a big public black eye at the end of 2011, when it came out that the PIN authentication method was designed in such a way that it was vulnerable to brute force guessing. I explain the details on my RouterSecurity.org site, but the end result was that a router supporting WPS could be breached with a maximum of 11,000 PIN code guesses.
The real scandal is what happened in the subsequent five years: nothing. WPS is still required for a router to be certified by the Wi-Fi alliance.
But, finally, the latest crop of mesh routers are doing something about this. I looked at seven of them and found that five do not support WPS at all. One supports WPS, but not the PIN code method, and the last one is so poorly documented, its not clear exactly which modes of WPS operation are supported.
The five mesh routers that do not support WPS are Eero, Google Wifi, Ubiquiti AmpliFi, Plume and Luma.
An Eero tech support article, Frequently asked security questions, says “eero doesn’t support WEP, WPA, or WPS, as these protocols are known to be insecure.”
A Google tech support article, Google Wifi security features, says “WPS, a mechanism that lets a device join a wireless network without entering a password, is also not supported for security reasons.”
A Plume tech support article, Does Plume support WPS?, says “Plume does not not support WPS as it was discovered to be a less secure procedure for establishing a WiFi network.”
A Luma blog posting by Yasin Jabbar, What is Wi-Fi Protected Setup (WPS)?, points out the security issue with WPS, then concludes with “Our Luma WiFi routers natively don’t support WPS.”
I could not find anything from Ubiquiti about WPS, but I have used and tested one of their AmpliFi routers and found no indication of WPS support.
Most reviewers agree that the Netgear Orbi system offers the best Wi-Fi for consumers. Rather than dropping WPS entirely, Netgear supports the push button mode of WPS authentication.
A Netgear Knowledge Base article, Does my Orbi WiFi System support Wi-Fi Protected Setup (WPS)?, says that “You can use the Sync button on your Orbi router and satellite to connect devices that support WPS.”
Page 23 of the Orbi WiFi System User Manual (PDF) also gives the impression that WPS support is limited to the push button method of WPS, although this is not explicitly stated. Even assuming that WPS support is limited to button pushing, it does mean that anyone that can physically touch an Orbi device can get on its network. The manual says nothing about whether WPS can be disabled, so we have to assume it can not.
Finally, we come to Linksys and their Velop mesh system. The Velop User Guide (PDF) makes a bad first impression; not only is it undated, there is no reference to a firmware release number either. The Netgear manual that I referred to above clearly shows that it was updated in March 2017. My experience has been that manuals without a date or release number are issued and abandoned. That is, the manual will probably not be updated to to reflect changes in the firmware going forward.
Page 17 of the Velop User guide describes how to “Connect a Device with WPS” and says “Wi-Fi Protected Setup allows you to easily connect wireless devices to your Wi-Fi without manually entering security settings.” Easy has always been the mortal enemy of secure.
The screen shot of the mobile app on page 17 shows it saying “WPS is a secure way for basic users to connect devices without complicated authentication details.” No one thinks WPS is secure.
From the screen shot, it looks as if WPS can be disabled but the manual does not go into this at all. Most importantly, it is not at all clear which types of WPS are supported by the Velop system.
My favorite router, the Pepwave Surf SOHO, does not support WPS. That’s partly why it made such a good first impression back in 2013.
Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput