There are currently 14 mobile WLAN hotspots in the Stiftung Warentest laboratories. The results should come in a few weeks. Unusually early, the experts provide an insight into the ongoing tests - and issue a warning. According to Stiftung Warentest, security gaps in connection with the simplified network access called Wi-Fi Protected Setup (WPS) were found in three devices.
According to the product test, the devices "Asus 4G-N16 Wireless-N300 LTE Modem Router", "D-Link DWR-933 4G/LTE Cat 6 Wi-Fi Hotspot" and "TP-Link Archer MR500 4G Cat6 AC1200 WLAN Dual Band Gigabit" are affected router". Security gaps were found in the delivery state of these mobile WLAN hotspots, which would enable hackers to carry out various attacks via WPS. Within the wireless network range of the devices, it is therefore possible to eavesdrop on communications, steal data and even use the hotspot as an Internet access point without a password in order to pursue illegal activities at a false address.
Luckily, the problem can be easily eliminated with two devices, because the vulnerability can be switched off: Anyone who disables the WPS function in the system settings of Asus and TP-Link is immediately on the safe side, they say. If you go online via the mobile WiFi hotspot from D-Link, things look different: the security gap is still wide open even if you don't use WPS. Warentest writes that it may help to change the standard PIN for access via WPS.
Stiftung Warentest reports that the finds were immediately reported to the manufacturers and the Federal Office for Information Security (BSI). TP-Link has now confirmed this with its own company report and has already published an update for the affected device.
Asus and D-Link did not remain idle either. D-Link also wants to deliver an update this week, Asus stated that they want to do this "as soon as possible" and, in accordance with the recommendation of the Stiftung Warentest, recommends switching off WPS by then.
This is not the first time Wi-Fi Protected Setup (WPS) has been criticized for being an insecure access technology for all types of WiFi routers. The usually very simple PIN in particular can be found out relatively quickly by attackers. On the other hand, there is only a very limited benefit, because both Apple and Google do not support WPS (anymore). Only Windows laptops benefit from password-free WiFi access.