The scary part is the report of tool working with WPS disabled. I wonder if that is the default UI for routers not properly turning it off, or if the tool is turning it back on somehow.
I imagine if the default setting of the router is to have WPS enabled, then trying to crash the router and having it reset itself back to default would work if the user disables WPS, though I'm not sure if that's what the tool is doing.
Obviously everything gets hacked eventually, you just hope that they fix the even if it's off the router is still vulnerable. Even do something to stop the brute force by allowing the user to select an option where if the user gets the key wrong 3x (for example) the router will not allow any user to connect for 10m (for example). Let those who are connected stay connected and let the user also be able to unlock the lock via the UI.