So I'm still reading on WPS. Everyone here says a button must be pressed to initiate a pairing. However, Asus' own FAQ (
https://www.asus.com/us/support/FAQ/1010683/) clearly states ASUSWRT must support PIN to be compliant with the WPS standard.
Further, it acknowledges "WPS(Wi-Fi Protected Setup) is a network security standard that attempts to allow users to easily secure a wireless home network but could fall to brute-force attacks if one or more of the network's access points do not guard against the attack."
It says right there that an AP (node) can be vulnerable to brute force attacks. If the node still has WPS enabled (as demonstrated by a wifi scanner) and there is a required PIN option (which is what I assume AP PIN Code is in the settings; an eight digit code that's really 4+3+checksum), then how is it *not* vulnerable to attack? This is Asus' own FAQ from July 2017.
To add to the confusion, you have this FAQ (
https://www.asus.com/support/FAQ/1011434), which repeats the idea that a button must be pushed or a client PIN must be entered, but it's from 2015 (so older) and it doesn't say a word about the AP PIN Code setting. I can't seem to find any specific info on this AP PIN Code setting, but I don't know what else it could be (is it just there to be compliant but otherwise not functioning?)
For additional reference, this site (
https://routersecurity.org/wps.php) goes into more detail about various issues, including using the WiFi app on Android that I use, to ID networks using WPS (not just WPS capable) signals.
The conclusion users here have is that push button means you must have physical access to the router to activate WPS, but this does not explain the presence of the AP PIN Code.
It also seems that this forum's conclusion is that "that's just how it is, either accept it or stop using it." True enough that any user that believes there is a security concern should move on. However, if the WPS vulnerability is indeed expressed by an AiMesh node keeping it open despite it being disabled at the router settings (regardless of reason), then this should be made known so people are fully aware and can make an informed decision. Otherwise, I find it not much different than the routers of old (e.g., Linksys) where the WPS toggle was effectively useless and WPS remained always on until a firmware update was released (if it ever even was).
I apologise for the wall of text and continued discussion, but contrary to some accusations, I *am* reading up on this topic quite a bit and I still have some concern there is a flaw with this firmware that hasn't been properly addressed yet. This does not take away from the efforts of Arthur or anyone else, but this matter does not feel resolved.
I can understand if people want to block me now. No hard feelings. Ya'll keep being awesome.