Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Myth vs. reality: Wireless SSIDs

Myth vs. reality: Wireless SSIDs

  • Comments 28
  • Likes

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I've written extensively about this before. An SSID is a network name, not -- I repeat, not -- a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it. It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID. And, even if you think your SSID is hidden, it really isn't. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn't behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice -- and it's amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that's permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you're still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you're running Vista, then, you simply need to enable WPA2. We've got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that's more than two years old and you can't upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they're proven in the field, and they'll keep the bad guys out -- even when you're broadcasting your SSID to the world.

Comments
  • For those of us still on Windows XP SP2 here is the KB link to add WPA2 support on Windows XP  http://support.Microsoft.com/?id=893357

    pretty handy.

    as usual great article Steve :)

  • Hey Steve,

    Excellent article. Goes absolutely hand in hand with the lecture I had a Uni today! It's amazing the amount of confusion and false sense of security surrounding wireless, even amongst IT students.

  • Thank you.  I work as Level II support for a wireless manufacturer (for the WISP market, not the wireless inside the house variety) and you'd be amazed how many WISPs think that things will be much more secure if they just hide the SSID.  

  • It is an excellent article regarding the flaws found in the SSID and MAC address filtering.Regardless of their weak points,they can, however, help reveal the ids of the snooping individual's MACs and SSIDs to some degree. I have two notebooks wirelessly connected to each other by a point-2-point bridge.The wireles bridge then connects 2 a network of six Windows 9x systems.In all,I have a wired network connected 2 a wireless network via an access point which works as a router to connect the Windows 9x systems 2 the network.Given the small size of my home network,is it practical to buy the WPA or WPA2 security software?So far I seem to have no security problem I am ware of with my petit network.By the way,the notebooks are installed with Windows 2000 Professional.

  • It is an excellent article regarding the flaws found in the SSID and MAC address filtering.Regardless of their weak points,they can, however, help reveal the ids of the snooping individual's MACs and SSIDs to some degree. I have two notebooks wirelessly connected to each other by a point-2-point bridge.The wireles bridge then connects 2 a network of six Windows 9x systems.In all,I have a wired network connected 2 a wireless network via an access point which works as a router to connect the Windows 9x systems 2 the network.Given the small size of my home network,is it practical to buy the WPA or WPA2 security software?So far I seem to have no security problem I am ware of with my petit network.By the way,the notebooks are installed with Windows 2000 Professional.

  • Steve Riley has a great post on why hiding your SSID doesn't make your wireless network more secure.

  • SMAC is a powerful, yet easy to use MAC Address Changer (Spoofer) for Windows VISTA, 2003, XP, and 2000

  • I'm always surprised by the dozen or so unsecured, publicly accessible WAPs in my neighborhood (in Hong Kong) that have SSID broadcasting disabled. It's a bit like saying, "I can't be bothered to secure this, but it's a private network, ok?"

    Disabling SSID broadcasting probably does provide them with a little security though, since there are so many other publicly accessible WAPs present in the area that they're unlikely to get too much attention.

  • Info on SSID http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx -- ===== Glenn ===== 2007/10/24 Hi! I will be posting here some blog links that I think will be usefull for all Engineer. You can expect that mo...

  • This is great article and I totally agree with it. Too bad that it wasn't read by the people who prepared the questions for "Microsoft Security Assesment Tool". I lost points because my AP SSID is not hidden.

  • Good article on SSIDs and why it doesn't make sense (well at least in most cases) to hide the SSID in

  • DanielD-- Thanks for letting me know about this. I will try to get it fixed.

  • In questo articolo apparso sul suo blog, Steve Riley vuole sfatare il mito secondo cui utilizzare un

  • In Microsoft CTS Network support, we frequently need to troubleshoot wireless connectivity issues. These

  • Hiding an SSID will not hide a wireless network

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment