#### For the mathematically curious...

...here's a (very simplistic) visualisation of how researchers arrived at the "10^4 + 10^3 = 11,000 attempts" figure:

First off, you send PIN association packets to the Wi-Fi router, starting with

-- -- "0000 0000" (space added between quads for clarity)

and increment the upper quad by one, like so:

-- -- "0000 0000"

-- -- "0001 0000"

-- -- "0002 0000"

-- -- "0003 0000"

Each time the "probe PIN" is sent, the router replies with a message that tells the device if the upper quad (the first four digits) is incorrect. Since the upper quad is four digits long, you only need to send at most ten thousand (10^4) "probe PINs" -- from "0000 0000" to "9999 0000" -- to determine what the first four digits of the real PIN actually are.

For purposes of this discussion, we will say the correct upper quad is "4976." This presumably took us 4,977 guesses, if we started at "0000 0000," and tested the upper quad sequentially.

Once you know the first four digits, you only need to guess the first three digits of the lower quad -- from "000" to "999," or one thousand (10^3) combinations -- to find the rest of the PIN. The last digit is deterministic, since it's calculated mathematically from the first seven digits, and used as a checksum:

-- -- "4976 000[checksum]"

-- -- "4976 001[checksum]"

-- -- "4976 002[checksum]"

-- -- "4976 003[checksum]"

Again, for purposes of discussion, we'll presume that the correct first three digits of the lower quad are "387," with the calculated checksum appended at the end.

Thus, given an upper quad of "4976" and a correct lower quad of "387[checksum]," we should be able to find our association PIN in

-- -- 4,977 + 388 = 5,365

guesses.