But by including a flag in the EAP-NACK message, the standard unwittingly left a gaping hole that can be exploited by hackers to subvert your router. The message tells the user if the first half of the pin they typed was right. Thus it drastically reduces the time needed to crack the PIN using a brute force attack. Add in that the last bit of the PIN is always its checksum, you have a recipe for a security disaster.
[...]
The U.S. Department of Homeland Security (DHS) has issued a warning to the public about the flaw. It advises disabling WPS.
Can't really say I'm surprised. I mean when you try to make security like this easy for normal users, it tends to backfire.