@PNRichardC
I think you are confusing WPS which is a method for setting up the wireless, with security encryption which could be WEP/WPA/WPA2.
There used to be security vulnerabilities with WPS which could be hacked and then the WPA(2) encryption key could be obtained.
Edit: and PS that enquiry was 8 weeks ago!

I didn't spot that the reason this thread had appeared at the top of the new posts list was ejkirby had commented after a long gap instead of starting a new thread.
WPS is a mechanism for sharing pre-shared encryption keys.  The PIN method has been criticised.  It just seemed to me incongruous to be worrying about getting a firmware update to address the problem when a better solution would be to enter secure keys directly, or does this router not allow that?  deadkenny didn't seem sure which WPS method he had used, which made me wonder if he had no encryption at all.

split off to avoid confusion and to make it more visible to staff - title also changed

Quote from: PNRichardC

WPS is a mechanism for sharing pre-shared encryption keys.  The PIN method has been criticised.  It just seemed to me incongruous to be worrying about getting a firmware update to address the problem when a better solution would be to enter secure keys directly, or does this router not allow that?  deadkenny didn't seem sure which WPS method he had used, which made me wonder if he had no encryption at all.

I'm well aware of the WPA/WPA2 side of things and yes, WPA2 absolutely preferable and I would never run it with no encryption.
No, my enquiry was about WPS. I'd only used it once myself, via the button, just to see what it does really, but I don't want or need to use it. As for being sure about using it, I'm 100% sure *I* am not using it, my concern is whether anyone else could use it externally without my knowledge if there's a router vulnerability.
i.e. My concern in the original post a while back was in response to this which was doing the rounds recently in the news in relation to a newly discovered flaw beyond the earlier PIN vulnerability...
http://www.engadget.com/2014/08/31/wifi-protected-setup-flaw/
So my question was, is my router vulnerable, and if so how can I disable WPS? As I understand it I don't have to be using WPS myself, but if it's present in the router and enabled it can be attacked using the PIN method, unless fully disabled. Advice in the news is simply to disable WPS.
So far the PN response on the other thread now was that I should be okay. If that's the case, then I'm fine. Would still be nice to have an option for no one to be able to use WPS via PIN in case of future vulnerabilities (obviously the button method needs physical access).

This part split off as it has no relevance to the request for a firmware upgrade

Hi, I don't think it's an issue in this firmware, I'll see what I can check, however you can turn it off through the GUI. I've turned mine off.
Login, select 5.4 Advanced Options at the bottom of the screen, select Home Network from the LH menu and then select your WLAN from the displayed Interfaces.  The steps to get there may be slightly different on your Firmware, I'm running the later 10.2.5.2 EO firmware.
On the top RHS of the screen you have Overview | Details | Configure - select Configure
Towards the bottom of the screen there is "Security" - you can uncheck WPS Enabled there.
You can also make any other changes you want 
HTH.

Quote from: PNRichardC

I didn't spot that the reason this thread had appeared at the top of the new posts list was ejkirby had commented after a long gap instead of starting a new thread.

There's no real problem (on this forum anyway) with using an existing thread to raise something that is "on topic", in a lot of cases it's to be preferred as it helps with context. It doesn't normally affect "visibility" of a post in any event.

Quote from: Anotherone

Hi, I don't think it's an issue in this firmware, I'll see what I can check, however you can turn it off through the GUI. I've turned mine off. Login, select 5.4 Advanced Options at the bottom of the screen, select Home Network from the LH menu and then select your WLAN from the displayed Interfaces.  The steps to get there may be slightly different on your Firmware, I'm running the later 10.2.5.2 EO firmware. On the top RHS of the screen you have Overview | Details | Configure - select Configure Towards the bottom of the screen there is "Security" - you can uncheck WPS Enabled there. You can also make any other changes you want  HTH.

Aha, I missed that option for some reason, though it's obvious now I look at it. I've been in there before to change the channel so surely I noticed it. Oh well 
That works. Many thanks.

Sorry, I misunderstood what you were saying in the post I quoted.
The vulnerability may be worse than I had thought.  I thought WPS could be ignored and that a router was only vulnerable if it had been set up with the WPS PIN method and only PIN derived PSKs could be exposed, but it seems it is much wider than that.  Unfortunately the PIN method is a mandatory part of WPS.
The article you refer to manages to create quite a muddle.  One guess is actually 11000 guesses.  It does link to another article which explains thngs a lot better, but the copy I managed to download was a bit garbled.
This article also explains it and suggests a workaround is to disable the external registrar feature of WPS.
http://www.kb.cert.org/vuls/id/723755
This is what Technicolor says.
http://www.kb.cert.org/vuls/id/JALR-8PKL26
It seems the original design locked the router for 5 hours after 5 failed attempts.  This would increase the time taken for a brute force attack by about 50 hours.  Technicolor proposes to lock the router after 10 failed attempts.  It would then have to be reset from the GUI or CLI or rebooted.  It does not give a date for the change.
It says WPS can be disabled by entering the following command from the CLI.
[tt]:wireless wps config state disabled[/tt]
Added.  "locked the router for 5 hours" sholuld read 5 minutes.  Also this was nearly 3 years ago so it probably has been fixed by now.

Glad you sorted it deadkenny, I'll post back here if I find anything definitive on the vulnerability issue itself, although PNRichardC has dug something out by the looks of the previous post, but IIRC it got implemented. I'll expect he'll also note it's easier to turn WPS off via the GUI rather than having to Telnet