WPS: Is it still insecure?

[ThereIsNoName]

Back in 2011 there were reports of a security vulnerability in WPS, where an online attacker would need only 11000 guesses to gain access to any WPS enabled device.

Possible mitigations that were mentioned was to completely turn WPS off, to be able to turn off only the PIN and keep the physical button active, and to introduce an exponentially increasing time-delay between PIN guesses.

What is the status of this issue in Merlin?
1. Has ASUS done anything to address this security problem?
2. When you turn of WPS in the admin GUI, is it then really entirely turned of, and not still running in the background, which has been reported in some devices?
3. Does Merlin in any way address this issue?
4. Is it still recommended to have WPS turned off, or is it now considered safe?


///H

 

[Bawbag]

It used to be fairly easy with Reaver tool on Linux but now WPS is more secure. New implementations on routers block the MAC for varying periods of time after 3 failed PIN attempts making it not worth the time or effort. Should be safe enough now but I don't ever use WPS and turn it off anyway.