In Microsoft CTS Network support, we frequently need to troubleshoot wireless connectivity issues. These issues are always made more difficult to resolve in instances where the wireless network is hidden. We recommend that customers do not use non-broadcast or hidden SSIDs. It is a bad idea from both functionality and security standpoints.
What is a hidden wireless network?
It is possible to configure most wireless Access Points (AP) to not broadcast their SSID (Service Set Identifier). The intent of this feature is to prevent unauthorized users from being able to detect the wireless network from their wireless clients. APs send beacon frames to advertise capability information and parameter sets for the network. Turning off broadcasting on the AP does not prevent the beacon frame from being sent. The wireless AP still sends a beacon frame, but it is sent with the SSID value set to NULL.
Let’s say I am planning a party, and I invite several friends from work. I tell them to meet me at my street address on Friday night. I will be grilling steaks and burgers out in the back yard, and they should just bring their favorite beer. Many of them plan to meet me at the designated time, and they let me know that they will arrive carrying various containers of beer.
On the night of the party I get a little nervous, because I just bought a whole bunch of steak and burgers. I live in a pretty sketchy neighborhood, and I don’t want just anyone to walk in and eat the food, particularly if they haven’t brought any beer to share. So I decide to implement a security measure.
Well, I guess I could lock the front door and wait until people arrived and rang the doorbell. Then I could look out the window and verify that the caller is an invited guest. I could speak with them and verify that they are who they say they are in the same way that Active Directory verifies users with MS-CHAPv2. I suppose I could issue written invitations to the guests and require that they present the invitation to a third party prior to even allowing them to ring the doorbell like with a PKI deployment. But I have another idea.
In the interest of security, I go out and tear the numbers off the front of my house and off the side of my mailbox. I go to the corner and uproot the street sign. Now nobody looking to crash the party can find my house because it has no identifier!
Well the guys from work arrive, some of them in my general neighborhood, but none of them can find my house because the identifying street name and number are missing. They have two choices now - either they can give up and forget about the party or start asking around for where my house is. Most of them roam about the area carrying beer and yelling out my address.
So let’s say the local hoodlums are out, and they want to score some beer and steak. I didn’t invite them to my house, but they can still see that it is a house. They can still smell the steak and burgers cooking, and now they can hear and see a bunch of guys carrying beers, yelling out my address and roaming aimlessly in search of the party. The party crashers can easily surmise what my address is in the unlikely event that this is of any interest to them.
This was a poor choice for a security measure.
Choosing not to broadcast the SSID of a wireless network does not make it undetectable. The SSID is still advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs.
If you manage a wireless Access Point and the network it connects to, you control the security associated with accessing it. You specify encryption methods such as AES or TKIP and authentication requirements such as PEAP-MS-CHAPv2, EAP-TLS or PEAP-TLS in order to secure the network. You can require a valid username and password, or require that clients present a certificate to a PKI (Public Key Infrastructure). The name of the network itself is only an identifier and is not a security element. In fact the name of the network has no bearing on security whatsoever from an encryption or authentication standpoint.
If the network name of a wireless network (SSID) is not broadcast, the clients must search for it with probe requests. So if you have one AP and 100 wireless devices, you partially limit exposure of the network name with one device while causing 100 devices to expose it instead. The probe frames sent by the clients advertise the SSID every 60 seconds, whether they are close to the actual AP or not. This means that instead of one device broadcasting the SSID in the immediate proximity of your network, you now have these 100 devices potentially advertising the SSID in every coffee shop, hotel, and airport they visit. The security vulnerability this exposes is worse the larger the wireless deployment is.
How does Windows XP deal with non-broadcast SSIDs?
In Windows XP or Server 2003, users can connect to non-broadcast networks by configuring a preferred wireless network either manually or through Group Policy. A non-broadcast network will not appear in the “Choose a wireless network” dialog box.
The wireless supplicant will look at all the available networks and try to match them up to the networks in its preferred list. If it finds a match set to automatic connection, a connection attempt will be made. If no match is found after comparing visible networks to the preferred list, it will start plumbing down each network in the preferred list from top to bottom. It will wait two seconds to see if a connection is made, then proceed to plumb down the next one in the list.
This process will allow the supplicant to connect to a hidden network if it is in range, but only if no other preferred networks are available and visible. Because of this, even if a non-broadcast network is at the top of the preferred list, it won't take priority over a broadcast network lower in the list.
In order to address this problem, you can apply Windows Server 2003 SP2 or the wireless update from KB article 917021 to Windows XP SP2 machines. This allows you to configure wireless networks as broadcast or as non-broadcast networks. You can also configure this new setting through Group Policy from a computer that is running Windows Vista. If a non-broadcast network is configured as preferred, the XP client will now probe for it every 60 seconds, in effect broadcasting the SSID of the network.
How does Windows Vista deal with non-broadcast SSIDs?
In Windows Vista and Server 2008, there is an additional configuration setting to specify whether a network is non-broadcast. Within the Wireless Network properties dialog, there is now a check box for "Connect even if the network is not broadcasting." This causes the supplicant to send probe requests for the network, and if it is in range it will be displayed in the list of available wireless networks.
These probe packets still occur every 60 seconds, regardless of whether the network is reachable, and this constitutes a security risk by probing for the SSID repeatedly. A malicious user could attract the client to an unauthorized AP simply by duplicating the SSID and settings learned from the probe packets.
Also, if a Windows Vista or Server 2008 client receives a beacon frame with the SSID set to NULL, it will add the network to the list of available networks with the name "Unnamed Network". This allows the user to manually connect to the network if it knows the correct SSID.
How It Breaks
The ability to connect to a non-broadcast SSID is a cooperative effort between the wireless supplicant and the wireless NIC driver. In order to take advantage of the improvements made to the supplicant in Vista, the wireless adapter driver must support these enhancements.
In order for the new process to work, the wireless driver must send the probe packet to the AP for the hidden SSID. We have seen that power settings defined on the NIC driver can influence whether the AP receives this probe. Sometimes setting the transmit power setting to maximum will allow the probes to reach the AP.
Currently there are several widely-distributed WLAN drivers which either do not support or do not work properly with the Vista method of dealing with non-broadcast SSIDs, including the Intel 3945ABG and the Broadcom 802.11g Network Adapters.
The Intel 3945ABG adapter is very widely distributed in current laptop models. The latest Intel driver provides improvement but does not address all issues with hidden SSIDs encountered when roaming or resuming from hibernation.
Broadcom does not show any unnamed networks, and they are not planning to fix this. One of the reasons, besides being low priority for them, is also to push customers to stop hiding the SSID, which creates a problem instead of solving it.
Windows Vista includes a warning to indicate that connecting to a hidden SSID is a bad idea from a security standpoint:
Non-broadcast SSIDs are not a valid security measure and actually make it easier for the SSID to be discovered since it forces clients to continuously probe for it.
Here is our official stance from Microsoft on Hidden SSIDs:
From Wireless Product Manager Drew Baron: “We like to take every opportunity to dissuade the use of Hidden SSIDs as much as possible. For security reasons we strongly recommend against using hidden SSIDs” http://www.microsoft.com/technet/network/wifi/hiddennet.mspx
Here is a link to an independent analysis from outside Microsoft: “Debunking the Myth of SSID Hiding” - http://www.icsalabs.com/icsa/docs/html/communities/WLAN/wp_ssid_hiding.pdf
Input from Senior Security Strategist Steve Riley: "It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment ... even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID." http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx
PingBack from http://lostdriveblog.com/2008/02/08/non-broadcast-wireless-ssids-why-hidden-wireless-networks-are-a/
C'mon guys. If you set the security and in addition you set a non-broadcasting SSID is not making that network unsecured.
And YES i want a computer to not connect as easily to my non-broadcasting SSID. That is the idea.
I don't want the 14 years old neighbor to start meddling with it. On the other hand if that kid is smart enough to discover the SSID from my laptop advertising it, then i would grant him access anyway.
You believe so much that you are right that you can't see the others views. And imposing yours is not right.
The analogy is completely off the wall and incorrect in every what but that is what I have to to expect from the low level support and software that microsoft offers. A much better description if you were to use that analogy. First of all you have to understand that anyone who is supposed to be on the network will have the correct SSID. It would not be that you take the numbers off your house and uproot the street sign, instead you would paint the numbers on your house, the mailbox, and the street sign that can only be seen with super magic, non microsoft compatible, glasses. Then you hand out the glasses to any supported user so that they and only they know how to get to your party.
Oh and as far as the broadcom adapter goes. Whether or not they decide to show unnamed networks is not the point. In fact, using non-broadcasting, you wouldnt want your network shown in any way that is the point of it non-broadcasting. Besides I am currently wireless on an HP laptop, with windows XP professional, and a broadcom wireless supplicant working perfectly fine on our non-broadcasting wireless infrastructure. Stop making excuses for windows vista, it was a terrible OS I know it, everyone else knows, just accept it microsoft. Just make windows 7 better but from the betas thusfar is seems that alot of the same problems are still there.
One thought left out of the last paragraph the analogy in the above article is this - that the hoodlums set up a party of their own showing the house nubmer that my guests are shouting and rob them in out of public view. To put this back into the perspecive of a laptop user. I connect to unbroadcasted network xxyy - use it and then later go to the air port and turn on my laptop to see if there is a network to connect to. Not finding one that is set up as a network to connect to my laptop starts shouting to see if xxyy is available - the hacker sitting 30 feet away answers back that he is xxyy and I connect through him - thus creating a man in the middle attack.
turning off the broadcast of the SSID may lead to a false sense of security. The method discourages only casual wireless snooping, but does not stop a person trying to attack the network.
It is not secure against determined crackers, because every time someone connects to the network, the SSID is transmitted in cleartext even if the wireless connection is otherwise encrypted. An eavesdropper can passively sniff the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a "disassociate frame" as if it came from the wireless bridge, and sends it to one of the clients connected; the client immediately re-connects, revealing the SSID.
I add, Not revealing the ssid is a aparently a false
sense of security.
If the hidden SSID xyz in a laptop is shouted out at an aeroport and a hacker answers as hidden SSID xyz, he can't perform a man in the middle attack unless you are running no encryption. Figuring you are running a hidden SSID with WPA2, the man in the middle attack is null and void.
Why we techs know that there is NO security benefit in hiding the SSID, the reason for doing it is to keep the 99.5% average "normal" people from knowing you are running a network thus keeps their curiosity at bay, including the constant trying to connect. We all know that .5% of the techs out there can sit around and sniff the SSID, they can sniff the MAC - thus that is why us techs use WPA2 and/or WPA2 with IAS / Radius.
I say, hide the SSID - enable MAC addressing ... take every step to make life more difficult for the potential hacker. The more steps required to break in, the more work they will need to do.
In conclusion, there is no security risk running a hidden SSID with "man in the middle attacks" unless you are not running good encryption such as WPA2. So, if a guy in the aeroport tries to pretend he is your AP, your computer is not going to connect because mr. fake SSID doesn't have your encryption key.
I am getting paranoid now, why does so many people want to get people to open those SSIDs up? lol
I was trying to make my wireless connection secured, so i thought. Instead I hid the network and have no idea how to fix it and I think I made it worse trying to fix it. I can see the network but when I try to connect it says can't find network(hidden), or make sure it is in range. I have to plug in the computer to the router to get it to connect. It worked perfect for a year and other computers are still on-line in my home. Sorry for not knowing much about this but I tried. Can anyone give me some tips on how I can reverse what I did. Not to computer literate or I wouldn't be in this mess. Thank you for any help...
My Wireless network at work is set up like this.
We have hundreds of meetings in house every year with medical professionals all across the country and from overseas in our building. For them we have a broadcasted public wireless network set up. That works great.
For our internal laptop staff we have a non-broadcastd secured wireless network. Which has worked perfectly for the past 6 years using XP and Vista. We are now starting to use HP /Dell laptops running Windows 7 Professional. Guess what tons of connection issues using windows 7. We downgrad the laptops to say Vista or XP and guess what...connection to that non-broadcasted wireless network works great. Upgrade or reinstall to Windows 7... it breaks cannot authenticate to the RADIUS server. How can I get this to work- this is not funny.
We really do not want to have this broadcasted- due to so many outside people being in our building. The reason we configured that non-broadcasted network in the first place was to circumvent a breech in security that we experienced when using a broadcasted wireless network. So what you are all proposing or rather are pushing down on all of us really does stink.
I can't believe I just wasted a couple of minutes of my life reading from a lame writer who gives lame analogy who thinks that hiding an SSID makes it more unsecured.
How about this...have your SSN in a cryptogram and broadcast it, post it all over the internet so it would be more secured rather than hiding it!