WPS Flaw Vulnerable Devices
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Device NameManufacturerType (Router/ AP /Bridge...)Firmware-VersionWPS enabled by default?Vulnerable (yes/no)Tool (Version) Average time for penetration *without* providing the PINWPS can be disabled (and it stays off!)Comments/Notestested byPINThis database is intended as an educational resource for users interested in IT-Security. I did not find the vulnerability, that honor goes to Stefan Viehböck and Craig Heffner.
MI424-WR Rev.EActiontecRouter20.19.8NoNoNonen/aWPS "functionality" is not enabled currentlyThis is the type of router that is used for Verizon FIOS and it appears to me at least that despite there being a button for WPS on the outside of the box, Actiontec says in the user manual:
"Although the WPS button is included on the FiOS Router, WPS functionality will not be enabled until a future firmware release. The button is included so that WPS can be activated at a later date without having to physically change the FiOS Router. The GUI does not include the WPS option."
WLAN 1421Alice/HansenetWlan Router1.0.16NoYesReaverYesI did a quick check. Seems to be vulnerable.

But with some kind of rate limit maybe. Every second try fails.
AirPort ExtremeAppleRouter7.5.2NoNon/an/aYes, see commentsApple seems to use the internal PIN Method, not external PIN. 60:33:4Bjagermo
Vodafone Easybox 602ArcadyanRouter/Modem20.02.022YesNoReaver 1.3Yes0:23:08Do we have more information about this? WPS PIN is enabled, but device is not vulnerable? Why?
Vodafone EasyBox 802ArcadyanRouter/Modem4/20/0207YesMaybeReaver 1.3, WPScrackYesThe Router brings a Message after 10 failed logins:
Bedingt durch zu viele Fehlversuche, nimmt ihre EasyBox keine WPS PIN Registrierung von externen Teilnehmern mehr entgegen.

Bitte setzten diesen WPS PIN durch einem neue zu generierenden WPS PIN Code wieder zuruck.
Translation: Device locks after ten wrong attempts, user needs to create a new WPS PIN code
Speedport W 504V Typ AArcadyanRouterunkownYesYesReaver 1.4 r1221 sekyes00:1D:1912345670
EasyBox 803Arcadyan Technology CorporationRouter30.05.211 (01.07.2011-10:36:41)YesYesReaver 1.3 [user reports untested, so his 3sec value here removed]yes (not testet maybe its already ative after switching to off!)i think there is an interesting thing between easyboxes and speedport AP's
some esyboxe's use a standard key begins with spXXXXXXXXXXXXX
with a 13 char length numeric key! (also some speedport aps use such a key but there is a nice script to get them with the hexdecimal mac of the target ap! [wardiving wiki!!!] that will work for a lot of speedport models ... )

Have nice day
RT-N16ASUSRouter1.0.2.3YesYesReaver 1.31176 secondsYesbc:ae:c5
RT-N10ASUSRouter1.0.0.8YesYesReaver 1.32 seconds per attempt/3.5 hours to crackYesReece Arnott
N13U v1&v2ASUSRouter2/1/2012NoNoReaver 1.310minYesASUS N13U uses only PBC WPS configuration method . WPS is switched off automatically after two minutes . Tested on ASUS N13U v1 and v2 using latest firmwareshA1d3R
Fritz!box 7390AVMRouter84.05.05NoNowill follow soonwill follow soonYesI found this list at work and thought I can provide you with some information of my router.

I filled out the parts I know and will check the clear field this evening:
- Is your device vulnerable against the WPS attack? *
- Wich tool did you use? *
- How long did it take you?
FireFlyHi Firefly, thanks - to fill in the missing informations, just re-do the form.
Fritz!Box 7240AVMRouter73.05.05NoNowpscrack, Reaver 1.2uncrackableyes00:24:FE
FritzBox7390AVMRouterALLNoNoReaver 1.3uncrackableYesYou have to activate WPS manually. I's deactivated after every successful wps connection and after 2 minutes. =>Not vulnerable because of very short time limit.f.reddy
Fritz!Box WLAN 3370AVMRouter / Modem103.05.07NoNoN/AN/AYesI think all current AVM devices are save as WPS with pin isn't activated on default.
n150BelkinRouterUnknownyesyesReaver 1.212.5 hoursyes
F9K1001v1BelkinRouterF9K1001_WW_1.00.08YesYesReaver 1.37765 secondsYes
F6D6230-4 v1000BelkinRouter1.00.19 (Apr 22 2010)YesYesReaver 1.320 minyesNo lockout, no delay needed.0:23:15
F9K1001v1 (N150)BelkinRouter1.0.08YesYesReaver 1.341 minutes, 12 secondsYesThe F9K1001v1 is the same as the Belkin N150. I got lucky on the speed, the first 4 digits were found at 3.06% completion.08:86:3BNick21250491
F7D1301 v1BelkinRouter1.00.22YesMaybenoneyesdidn't bother to test, but i assume it's vulnerable judging by the other Belkin routers that come with WPS enabled94:44:52beej
F7D2301 v1BelkinRouter1.00.16 (Jul 2 2010 14:36:56)YesYesReaver 1.31.9 HoursYes94:44:5293645348
F9K1105 v1Belkinrouter1.00.03 (Jul 4 2011) YesYesReaver 1.33hoursyes
F9K1001 v1Belkin Router1.00.08YesYesReaver 1.211.2 HoursYes8302441
7800nBillionRouter1.06dNoMaybeReaver 1.314 hoursYesOnly vulnerable when WPS is enabled. Even though I had my attack laptop in the same room as my router, it still took 14 hours to find the PIN.

Disabling WPS is completely effective.
BiPAC 7404VGPXBillion AP6.23YesYesreaver 1.33hoursno
WZR-HP-G300NHBuffaloRouterUnknownYesMaybeReaver via BacktrackWithin 1 hourYesWith WPS turned off reaver did nothing. With WPS on reaver is looking for the pin. This routers was bought and being used in Japan.
WZR-HP-AG300HBuffaloAccess Piontdd-wrt v24SP2-multi build 15940YesNoreaver 1.4No but it starts lockedWPS is enabled by default and I cannot turn it off. However, Reaver reports that the state is locked at first try. Beacon packets sometimes show WPS (and thus appear in walsh), and other time WPS is not in beacon packets and thus is not reported by walsh.

So far I am unable to break wps with reaver even using the known PIN. I've never actually tested to see if wps even works properly in the first place however.
Linksys E4200 v1CiscoRouter1.0.03 (Build 14)yesyesReaver 1.21 second / attempt, no anti-flooding / blocking / delaynoWPS LED blinking continuously during attack. Vulnerable with latest firmware, no way to disable WPS -> epic fail! Anonymous user 9308: I've also noticed that across 2 different linksys devices (don't have them on me now) the default WPS pin of 12345670 was the result of 2.5 and 6 hours cracking
Valet M10CiscoRouter2.0.01YesYesReaver 1.25 hoursNOA newer firmware is available (2.0.03), but the changes were fairly trivial according to the release notes.
Linksys E4200CiscoRouter1.0.0.3YesYesReaver4hNOFeedback by security@cisco.com

"Issue has been identified and being worked on by product engineering.
There is no ETA of a firmware release. Please continue to check support
web page for the E4200v1. If you have E4200v2 you can use the auto
firmware update to see if there is a new firmware update."
Linksys E3200 v1CiscoRouter1.0.02YesYesReaver 1.3 & r5824hNoWith 1.3, use the --ignore-locks option. With r58 and over, use --lock-delay 60. The router has a 60 seconds cycle with 3 PINs. I was lucky it went as fast, it could've taken a lot longer.58:6D:8FSocapex
WRVS4400NCiscoRouter1/1/2013NoNononenot available
UC320WCiscoUnified CommunicationsCurrent VersionyesyesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
WAP4410NCiscoAccess PointCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
RV110WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
RV120WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP521WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP526WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP527WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP541WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP546WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
SRP547WCiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
WRP400CiscoRouterCurrent VersionYesYesReported by Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wpsCisco
Linksys E1000CiscoRouter2.1.00 build 7Sep 21, 2010YesYesReaver 1.47/6/2012NoTook aound 6.7hrs to recover the WPS Pin C0:C1:C0aBs0lut3z33r0
Lynksis E3200 v1CiscoRouter1.0.03YesYesReaver 1.4NoAs stated by Cisco for firmware 1.0.03:

- Added Enabled/Disabled feature for Wi-Fi Protected Setup in the web configuration
- Added WPS lockdown feature

Not true, still works great :) There is no new WPS lockdown, still 60s/3 pins. Anyone else can confirm this?
WRT320NCisco LinksysRouterunknownYesMaybeReaver 1.4n/aunknownReaver constantly outputs 'WPS transaction failed (code: 0x2)', indicating an "Unexpected timeout or EAP failure".
WRT610NCisco-LinksysRouter2.00.01.15YesYesReaver 1.424 hoursNot SureChaos12215676
DIR-615D-LinkRouter4,1YesYesReaver-1.1ca. 1h 45minYes
DIR-855D-LinkRouter1.23EUYesMaybeReaver 1.3user reported 5 minute timeout on failed registration, unknown inducement thresholdyes
DIR-655 vB1D-LinkRouter2.00NAYesMaybeWifi Analyzer (Android) v3.0.2Yes5C:D9:98Can be user-generated
DIR-300 (HV - B1)D-LinkRouter5/2/2012YesYesReaver 1.34 Daysyes - can be completely deabledNsol
DIR-300D-LinkRouter"2.05"YesYesReaver 1.34 DaysyesNsol
DIR-655 A3D-LinkRouter1.22b5YesYesReaver 1.34.5hrsYesDevice ships with WPS enabled; I normally keep disabled; older 1.22b5 firmware since more stable. Allows you to specify a different WPS PIN; When enabled took approx 4.5 hrs to recover WPS pin and WPA2 password; Router constantly re-boots (approx every 30-50 PIN attempts) during this period and was also subjected to a denial of service. Reaver continues to try pins when router recovers using -L option. Can adjust Reaver timing settings for better results. Reaver 1.3 on BackTrack 5R1.

Reaver thinks router is rate limiting (it is actually crashing); restarting Reaver or using -L allowed Reaver to continue checking pins almost immediately or as soon as the router rebooted itself.
DIR-300D-LinkRouterCurrentYesYesyestested and reported by D-Link directly D-Link
DIR-457D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-501D-LinkRouterCurrenttested and reported by D-Link directlyD-Link
DIR-600D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-615 Rev D+ HD-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-615 Rev. BD-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-635 Rev BD-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-645D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-652D-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-655D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-657D-LinkRouterCurrentYesYesYestested and reported by D-Link directlyD-Link
DIR-815D-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-852D-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-855D-LinkRouterCurrentYesYesyestested and reported by D-Link directlyD-Link
DAP-1360D-LinkAccess PointCurrentYesYesyestested and reported by D-Link directlyD-Link
DAP-1522D-LinkAccess PointCurrentYesYesyestested and reported by D-Link directlyD-Link
DIR-625D-LinkRouter3,04YesYesReaver 1.44 hoursYesHardware version (very relevant for some D-Link devices): C2
This is the first device that I've successfully recovered the PIN from!
DIR-615D-LinkRouter2,23YesNoReaver 1.3n/aYesHardware version B2. This device appears to enter a WPS "blocked" state after approximately 60 failed PIN attempts (consistently around 0.60% progress in Reaver). It does not unblock until a system reboot.
DIR-628DLinkRouter/access point11/1/2012YesYesreaver 1.3Didn't let it runyesI didn't bother letting reaver run until it cracked the PIN -- I just wanted to confirm that it was vulnerable, and that turning off WPS fixed it. Walsh listed it as vulnerable before turning off WPS, but not after.
DWA125 with Ralink2870 / 3070DlinkUSB1NoNoReaver 1.4i don't know
DWA125 with Ralink2870 / 3070DlinkUSB1NoNoReaver 1.4i don't know
3G-6200nLEdimaxRouter1.06bNoNoN/AN/AYesRouter has a Push Button to Enable WPSCan you verify, that push button is the only method they are using?
ECB9500EngeniusWireless Gigabit Client Bridge02.02.2009YesYesReaver 1.3 >4 hoursYesMore information about this can be found here: http://www.virtualistic.nl/archives/691virtualistic.nl
EchoLife HG521 HuaweiRouter1,02yesyesReaver 1.15-6 hoursyesTalkTalk ISP UK
BtHomeHiub3HuaweiRouter/ADSLUnknownYesYesReaver 1.350 minutesUnknownUnknown
E3000LinksysRouter1.0.04YesMaybe - see CommentsReaver 1.324hYesWPS lockdown after 20 attemps (power cycle needed). Testet with reaver -p "PIN" ->got WPA Key. =>not vurlnerable because of automatic lockdown.
58:6D:8F:0Af.reddy69382161more information about this router and the WPS-DoS: http://www.reddit.com/r/netsec/comments/nzvys/wps_brute_force_i_started_public_google_doc_so_we/c3domfn
WRT350NLinksysRouter2.0.3 i think (newest!)YesMaybe - see CommentsReaver 1.3YesReaver gives thousands of errormessages when I try to crack this type of AP.
Tried several parameters... Strange WPS implementation!?!?
E2500LinksysRouter1.0.02YesMaybeReaver 1.3I stopped Reaver after 16 hrs with no success. See commentsNoI left Reaver running overnight, it was stuck in an error the next day after 16 hours. It kept trying to attempt to send a PIN, but every time it would return the error "[!] WARNING: Receive timeout occurred". The WPS LED on the back of the router is normally solid green; it starts to flash on and off during the attack, and when this error is hit the LED turns off and stays off. The only way to fix this is to unplug the router and plug it back in. I was only able to retrieve the pin after resetting the router a few times by unplugging/replugging it and restarting Reaver from where it left off.58:6D:8FNick
WRT120NLinksysRouterv1.0.01YesYesReaver 1.34hnohad to restart the router after 29%, because reaver stuck at the same pin and received timeouts00:25:9C
WRT160Nv2LinksysRouter2.0.03 YesYesReaver5 hoursno
E1000LinksysRouterunknownYesYesReaver 1.37hNo2 seconds/attempt - I let it run all night, had a few hiccups (timeout warnings), but psk was eventually found.c0:c1:c0
E1200LinksysRouter1.0.02 build 5YesYesReaver 1.45 hrs, 20 minsNo2 secs/attempt; Never locked up EVER!58:6D:8FMolito
E4200LinksysRouter 1.0.02 build 13 May 24, 2011NoYesReaver v1.34 hoursNo, it doesn't appear to be58:6D:8Ftxag47158382
WRT54G2Linksys / CiscoRouterunknownYesYesReaver 6 hoursYes, but not sure if it stays offThis information ist from this Arstechnica article http://arst.ch/s0i - filled in by jagermo - but it seems that Linksys does not have a standard-pinSean Gallagher8699183
E4200Linksys / CiscoRouterunknownYesYesReaver 1.3 - with PIN-OptionNo, see commentsConfirmed that PIN-Method stays switched on, even if you turn WPS off in the management interface. This is really a problem. jagermo
WRT350Nv2.1Linksys / CiscoRouter2.00.20YesMaybeReaver 1.4NoStarts testing PINs and after 2 attempts I supose it lock you out.
Testet with reaver -p "PIN" ->got WPA Key.
WAG160Nv2Linksys by CiscoADSL Modem Router, Wifi AP2.0.0.20YesYesReaver 1.45.5 HrsNo. Though the router's web portal has an option to not choose WPS, it still remains active.It took about 1.5 seconds per attempt when the router was not doing any activity, took around 5 hrs for the first half of PIN and few mins for rest. The Linksys WAG160Nv2 router doesn't have any lock down and no option to disable WPS either. The Router didn't crash and the PIN was cracked on first attempt, though the mon0 interface on BT5r1 crashed. The Reaver was started again with earlier instance.

When the router was active with couple of wired and wireless users with LAN and Internet activity, it took about 40 seconds per attempt.
WRT100Linksys-CiscoRouter1.0.05YesYesReaver 1.476 minutesNocracked PIN was not the same as the PIN displayed in the router's security settings. looks like pin can be customized but there is also a default PIN hard coded into the router.00:1D:7E
WRT100Linksys-CiscoRouter1.0.05YesYesReaver 1.476 minutesNocracked PIN was not the same as the PIN displayed in the router's security settings. looks like pin can be customized but there is also a default PIN hard coded into the router.00:1D:7E
NP800nNetcommWireless Router1.0.14YesYesReaver 1.310 hoursyesn/aISP rep
CG3100NetgearCable Modem (with built in Gateway/AP) 1.2YesThis device has support for WPS, turned off by default, and only through the Push-Button and Registrar PIN method (i.e. enter the Wireless Adapters PIN at the AP side, as opposed to enter the APs PIN at the Wireless Adapter side)c4:3d:c7
CG3100DNETGEARCable/routerunknownYesYesreaver svn rev. 525 hoursyesIs a router provided by very popular ISP, at least in my country.
Was tested with options: -r 5 -x 30 -w
Signal was about -60
Sometimes reaver enters in a loop and tries the same PIN 10 or 15 times, but luckly continues as normal after these 10-15 tries.
DGND3700NetgearModem/RouterV1.0.0.12_1.0.12YesYesReaver 1.3YesRouter has a timeout built in afet approx 20 attempts; using default delay (315 secs) will allow resume - but does significantly slow down the number of attempts/sec.20:4E:7FI'm seeing something similar on the WNDR3700
WNDR3700NetgearRouter1.0.7.98yesyes, but.... see commentsReaver 1.2Device locks after WPS Flodding, if you wait for like half an hour and use Reaver 1.3, you can resume the attack. Returns PIN, but WPA2-Passphrase is gibberish
DGN1000BNetgearRouter1.00.45NoMaybeWPScrackis deactivated by defaultWPS is only enabled for approx. 2 min when you use push 'n' connect to connect a new device to WLAN.
MBRN3000NetGearRouter (ADSL + 3G) 1.33hyesdankwardo
Main menu