Vulnerability spociva v tom ze je mozne z odpovede routra rozpoznat ci je spatna prva polovica pinu alebo druha polovica, cim efektivne zmensis velkost kluca na polovicu, co je jak keby si 8znakove heslo zmensil na 2 4znakove hesla, co je potom samozrejme enormne (exponencialne) rychlejsie na prelomenie. Lebo to cele vymyslal nejaky kreten.
Podrobnejsi popis napr. googlom narychlo najdene
https://briolidz.wordpress.com/2012/01/10/wi-fi-pr otected-setup-wps/

Basically, these attacks rely on discovering the PIN much quicker than brute forcing the PSK and work as follow:

If the WPS Registration Protocol fails at some point, the Registrar will send a NACK message.
If the attacker receives a NACK message after sending M4, he knows that the first half of the PIN was incorrect. See definition of R-Hash1 and R-Hash2.
If the attacker receives a NACK message after sending M6, he knows that the second half of the PIN was incorrect.

This method dramatically decreases the maximum possible authentication attempts needed from 10^8 to 10^4 + 10^4