Due to poor implementation a brute force attack can be mounted which only has to guess the first half of the pin. This means there are only 11000 combinations to guess in total and each guess takes around 1.3 seconds. There is no mechanism in routers to disconnect a user after so many failed login attempts.
The PDF shows how it works. There is an unreleased proof of concept tool (Stefan Viehbock is cleaning up the code) but using the paper you should be able to implement it yourself.