A security flaw in the WiFi Protected Setup (WPS) system has been uncovered and publicly disclosed.
Researcher Stefan Viehböck has published a PDF summary of his work here and an article about it also appears in The Register. Due to both design and implementation flaws in the WPS standard, most WPS enabled routers can be brute force attacked in around 2 hours. By brute forcing the router in this way, a secure connection is established and the victim’s network becomes penetrated.
Both Viehböck and US-CERT recommend that users disable push-button WPS until a firmware upgrade is available from manufacturers.
