today, I've tested it with 10+ WPS-compliant AP in work, and the results were quite interesting.

It seems, that WPS-compliant device can mean virtually anything. First router was accepting *every* pin as correct, so reaver reported WPS pin cracked after 2-5 seconds, every time, no matter of PIN tested. Of course, it wasn't giving any WPA passphrase (unfortunately or fortunately, depending on point of view ). when I tried to connect to this AP "godly way", it wasn't using any pre-defined PIN - N900 dialog was asking me to use on-AP button. I was able to choose "PIN method", but that was even more ridiculous - instead of asking me to input PIN on N900, it actually *gave* me PIN via N900 dialog, and requested to input this PIN to AP. every attempt resulted in different PIN created.

So, this Access Point was protected against this attack vector, but, according to WPS standard, it wasn't compliant with *any* obligatory method of establishing WPS connection...

Another router - some kind of damn Livebox - after 4-5 pin attempts just locked further WPS connecting. Using any delay (instead of default 315) haven't helped. Interesting thing is that, when I checked it after 10 hours, it was still in WPS locked state I wonder, if it's going to allow WPS tommorow - maybe, after lockout, it require restart to work properly? That would mean Reaver is performing WPS DoS on this model, as during lockup, no client is able to connect via WPS.

Few other machines were working with Reaver "normally". Yet, the time between effective PIN attempts wasn't particularly awesome - Reaver measured it as average of 27 seconds per PIN. Despite having strong signal, I was getting "response timeouts" many times. This require further investigation, as some times, I was able to check 7 PIN per 10 seconds, and for other situations, same router allowed 1 PIN per minute.

Finally, one router 'seemed' to work, but wasn't responding to PIN attempts at all - Reaver just tried one and only PIN whole testing period. I though it's related to MAC filtering, so I used allowed MAC for 2nd attempt, but results were same. by the way, I also tried allowed MAC for first router (this one that was giving PIN, instead of requesting one), also with no new results.

The bright side, is that it isn't power demanding. Using N900 with 800 mAh (out of 3070 mAh total), I was expecting quick need for charge. Instead, after ~8h, I was still @ ~500 mAh. Power usage resembled regular one with WiFi connected to AP, staying idle (GSM was disabled totally during tests).

Overall, on router working best, 8h30min resulted in 1.45% of 11000 PIN's checked. Far from 'promised' 10-13H to 50%, but it probably depends highly on AP - I haven't noticed anything, that could indicate problems with fast PIN checking on N900 or Reaver side. Probably, never routers, that most strictly follow WPS standards, are - ironically - more prone to quick WPS cracking.

/Estel

// Edit

During actively trying to crack one AP, N900 reported 7-13% of processor usage @ 500mhz - including Conky itself, and of course, other N900 processes. So, Reaver itself was using about 3-9% @ 500 mhz. It never resulted in on-demand jump to higher frequency.