NetRise, a company focused on protecting firmware and software components of IoT devices, has reported that many network devices remain susceptible to the Pixie Dust attack method discovered over a decade ago via Wi-Fi. This was reported by SecurityWeek.

Image Source: SecurityWeek
The attack, known as Pixie Dust, was discovered in 2014, when it was proven that vulnerabilities associated with the Wi-Fi Protected Setup (WPS) protocol could be exploited to obtain a router’s WPS PIN and connect to the target wireless network without entering a password.
The Pixie Dust attack assumes that an attacker within range of the target Wi-Fi network intercepts the initial WPS handshake containing data between the client and the access point for authentication, which can then be cracked offline to obtain the WPS PIN. This attack relies on the fact that, on certain devices, the random number (transmitted between the client and the access point) is generated using predictable or low-entropy methods. An attacker can intercept the WPS handshake in just a few seconds and then receive the PIN offline in a matter of minutes or even seconds.
NetRise conducted a vulnerability analysis of 24 models of network devices currently in use for susceptibility to the Pixie Dust attack. These devices are from six manufacturers, with half produced by TP-Link. NetRise’s analysis revealed that out of 24 routers, access points, signal amplifiers, and Powerline/Wi-Fi hybrid systems, only four devices were able to defend against the Pixie Dust attack, and in many cases, fixes were only implemented 9-10 years later. Among the unpatched products, seven have been discontinued, but 13 are still supported. During testing, NetRise experts were able to recover the WPS PIN of devices affected by the Pixie Dust vulnerability in 1-2 seconds. In scale, this could involve millions of devices affected by the Pixie Dust vulnerability.
“The vulnerable implementation of WPS reflects systemic flaws in the firmware supply chain. Vendors reuse insecure libraries, fail to ensure compliance with default security configurations, and provide low transparency. This poses risks of reputational damage to manufacturers, potential regulatory intervention, and legal liability. Vulnerable devices may appear secure due to user interface settings that seem safe, which hide or disable WPS, but vulnerabilities still exist at the firmware level. This creates covert pathways for exploitation in high-trust environments such as corporate branches, retail, and healthcare. Enterprises cannot reliably detect this vulnerability on their own and still rely on vendor disclosures, which vendors often do not provide,” NetRise pointed out.
NetRise’s research was conducted following a recent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which indicated that an old vulnerability related to missing authentication is being used in actual attacks affecting TP-Link’s Wi-Fi band signal amplifiers.