Due to poor implementation a brute force attack can be mounted which only has to guess the first half of the pin. This means there are only 11000 combinations to guess in total and each guess takes around 1.3 seconds. There is no mechanism in routers to disconnect a user after so many failed login attempts.
The PDF shows how it works. There is an unreleased proof of concept tool (Stefan Viehbock is cleaning up the code) but using the paper you should be able to implement it yourself.
viehboeck_wps.pdf (application/pdf Object).
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft
robin@edgarbv.com
https://www.edgarbv.com