Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Myth vs. reality: Wireless SSIDs

Myth vs. reality: Wireless SSIDs

  • Comments 28
  • Likes

Do you ever wonder sometimes how it is that some ideas just won't die? Like the thought that not broadcasting your wireless network's SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I've written extensively about this before. An SSID is a network name, not -- I repeat, not -- a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it. It's a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn't broadcast its SSID. And, even if you think your SSID is hidden, it really isn't. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or "supplicant" in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn't behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice -- and it's amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that's permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you're still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you're running Vista, then, you simply need to enable WPA2. We've got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that's more than two years old and you can't upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they're proven in the field, and they'll keep the bad guys out -- even when you're broadcasting your SSID to the world.

Comments
  • Wait a mo - who said that hiding an SSID is the *only* security measure to be used?  Hiding the SSID, changing it's name to something not easily guessed, *AND* enabling WPA2 (at least) security are *all* necessary steps to keeping folks from leeching off of your WAP

    The *real* security issue here is M$oft's refusal to make it easy for folks to hide their SSID.  Linux and MAC OS X don't have this onerous requirement, only the morons at M$oft, who also brought you Internet Exploiter, and every single security compromise ever dreamt of, in one, easy-to-use package (Windows).

  • Great article Steve but equally great point @brad, I currently have my SSID hidden and I've also given it some obscure name whilst enabling WPA2, whilst this is not currently possible with VISTA SP1 (if it is I've not found ways to make it work), it is possible with the VISTA SP2 (Beta mind you), I have vista SP2 installed and so far so good.

  • @Brad,

    You don't need to "guess" an SSID, so hiding it is pointless.

  • @Brad and Matt-- nowhere did I say that hiding an SSID is the *only* security measure. I'm arguing against the notion that hiding an SSID is a good idea at all. If you use the proper security measure -- that is, WPA2 (or WPA if your devices don't support WPA2) -- then that is sufficient for protecting your traffic and keeping people from using your wireless network.

    The 802.11 specifications mandate that SSIDs be broadcast. Access point manufacturers added support for hiding SSIDs a long time ago because people were too lazy to do the right thing (use encryption) and demanded the ability to hide. Well, you can't truly hide an AP. So by dropping support in Windows for something that actually breaks the protocol, it helps to improve overall security -- more people will use encryption.

  • I don't see why hiding the SSID and using Mac-filtering does not increase the security if you also - as the most important step - use encryption. IMO all extra measures will increase the security - it's one more thing to pass before you hack init someone's network. I don't have wireless network for anyones use but me - so I use encryption and SSID hiding.

  • Let's define what "increase security" means. I'll use two definitions:

    • Reduce the attack surface by eliminating additional potential targets of intrusion
    • Eliminate a vulnerability or reduce the likelihood of a vulnerability being exploited

    When you secure a wireless network with WPA2 using RADIUS or a strong pre-shared key, you have secured that network against all known threats. It is completely unnecessary to hide SSIDs and filter MAC addresses at this point: these additional efforts do not increase security beyond what you've done with WPA2.

    And as I have said before, you aren't really hiding anything with these approaches. SSIDs are available in clear-text in 802.11 association frames even if the access points aren't broadcasting their SSIDs. And MAC addresses are always clear-text and are unsigned, therefore they can be spoofed and you'll never know it.

    Just because you can do a thing that smells like security, it doesn't mean that you're actually reducing threats.

  • I use WPA2 with a strong pre-shared key on my wireless network.  I DO broadcast the SSID and do NOT use MAC address filtering because I saw little value in the security provided.  It also made it a lot easier for my family to use my network when visiting.

  • What I think others are trying to point out, as am I, is that not broadcasting SSID's and MAC filtering DO increase security to a degree.  When non-technical staff try to find wireless access near them, they simply search with things like Windows WZC- which out of the box ignores non-broadcasting SSID's.  So if say 5 in 10 people are non-technical, you've reduced the chance that NON-TECHNICAL people will find your network by AT LEAST 50%.  And I'd rather have 50% less people know of it's existence then be "curious" and pursue access to my network.  I'm not saying you need to agree with me, it's just my $.02.

  • @Mark Coleman: Hiding the SSID and using MAC filtering does not increase your security.  Sure, you prevent "non-technical" people from seeing your network, but would those non-technical people have had a chance of accessing your network if you employed WPA2?  Of course not.

    It's like hiding the bank vault only from people who have no idea how to crack a safe in the first place.  Those who do know how to crack it can find it.  What's the point?

    So how did you increase security with these measures?

    Hiding the SSID is useless (and harmful).  MAC filtering is arguably useful not as a security measure, but as an access control method, assuming the users you're controlling access for are "non-technical" (i.e. stupid in-laws)!

  • I agree with Mark Coleman.  Most people are NOT tech savvy.  They don't know what a MAC address, so they're not going to spoof it, and they have no idea how to capture packets on a network.  But if they are sitting outside my condo, and see my network SSID, they might just decide to take advantage of it.  

    And if I've had some problem where I've had to reset my wireless router, and have forgotten to enable encryption, or if I'm like my neighbor, who doesn't seem to know anything about encryption, then I'm in trouble.  

    Can someone address the question of performance?  Does broadcasting or not broadcasting the SSID affect performance?  I can pick up, no kidding, 10 different SSID's from my neighbors.  Don't their SSID broadcasts increase the interference to my signal?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment