Myth vs. reality: Wireless SSIDs

re: Myth vs. reality: Wireless SSIDs

Rohan John — Tue, 16 Oct 2007 12:06:45 GMT

For those of us still on Windows XP SP2 here is the KB link to add WPA2 support on Windows XP http://support.Microsoft.com/?id=893357

pretty handy.

as usual great article Steve :)

re: Myth vs. reality: Wireless SSIDs

Ben Knight — Tue, 16 Oct 2007 13:04:57 GMT

Hey Steve,

Excellent article. Goes absolutely hand in hand with the lecture I had a Uni today! It's amazing the amount of confusion and false sense of security surrounding wireless, even amongst IT students.

re: Myth vs. reality: Wireless SSIDs

Rod — Tue, 16 Oct 2007 20:58:12 GMT

Thank you. I work as Level II support for a wireless manufacturer (for the WISP market, not the wireless inside the house variety) and you'd be amazed how many WISPs think that things will be much more secure if they just hide the SSID.

re: Myth vs. reality: Wireless SSIDs

Simon Sterne — Wed, 17 Oct 2007 09:58:10 GMT

It is an excellent article regarding the flaws found in the SSID and MAC address filtering.Regardless of their weak points,they can, however, help reveal the ids of the snooping individual's MACs and SSIDs to some degree. I have two notebooks wirelessly connected to each other by a point-2-point bridge.The wireles bridge then connects 2 a network of six Windows 9x systems.In all,I have a wired network connected 2 a wireless network via an access point which works as a router to connect the Windows 9x systems 2 the network.Given the small size of my home network,is it practical to buy the WPA or WPA2 security software?So far I seem to have no security problem I am ware of with my petit network.By the way,the notebooks are installed with Windows 2000 Professional.

re: Myth vs. reality: Wireless SSIDs

Simon Sterne — Wed, 17 Oct 2007 10:13:33 GMT

Hidden SSID's are not more secure

Matt Johnson's Technical Adventures — Wed, 17 Oct 2007 16:38:11 GMT

Steve Riley has a great post on why hiding your SSID doesn't make your wireless network more secure.

MAC address filtering is useless

Tonys Microsoft Access Blog — Wed, 17 Oct 2007 21:40:53 GMT

SMAC is a powerful, yet easy to use MAC Address Changer (Spoofer) for Windows VISTA, 2003, XP, and 2000

re: Myth vs. reality: Wireless SSIDs

Andy Dowling — Sun, 21 Oct 2007 12:08:52 GMT

I'm always surprised by the dozen or so unsecured, publicly accessible WAPs in my neighborhood (in Hong Kong) that have SSID broadcasting disabled. It's a bit like saying, "I can't be bothered to secure this, but it's a private network, ok?"

Disabling SSID broadcasting probably does provide them with a little security though, since there are so many other publicly accessible WAPs present in the area that they're unlikely to get too much attention.

Blog Links

PukiWiki Plus! (PukiWiki/TrackBack 0.4) — Wed, 24 Oct 2007 07:12:33 GMT

Info on SSID http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx -- ===== Glenn ===== 2007/10/24 Hi! I will be posting here some blog links that I think will be usefull for all Engineer. You can expect that mo...

re: Myth vs. reality: Wireless SSIDs

DanielD — Wed, 24 Oct 2007 16:08:37 GMT

This is great article and I totally agree with it. Too bad that it wasn't read by the people who prepared the questions for "Microsoft Security Assesment Tool". I lost points because my AP SSID is not hidden.

Steve Riley: Myth vs. reality: Wireless SSIDs

Microsoft Switzerland Security Blog — Wed, 24 Oct 2007 17:56:35 GMT

Good article on SSIDs and why it doesn't make sense (well at least in most cases) to hide the SSID in

re: Myth vs. reality: Wireless SSIDs

Steve Riley — Thu, 25 Oct 2007 10:29:39 GMT

DanielD-- Thanks for letting me know about this. I will try to get it fixed.

Steve Riley parla di WI-FI SSID

Bar Microsoft — Fri, 26 Oct 2007 10:14:40 GMT

In questo articolo apparso sul suo blog, Steve Riley vuole sfatare il mito secondo cui utilizzare un

Non-Broadcast Wireless SSIDs Why hidden wireless networks are a bad idea

Microsoft Enterprise Networking Team — Sat, 09 Feb 2008 01:11:26 GMT

In Microsoft CTS Network support, we frequently need to troubleshoot wireless connectivity issues. These

Hiding an SSID will not hide a wireless network

Dave's Tech Shop — Sat, 23 Feb 2008 20:26:30 GMT

Hiding an SSID will not hide a wireless network

re: Myth vs. reality: Wireless SSIDs

brad — Thu, 25 Dec 2008 18:30:19 GMT

Wait a mo - who said that hiding an SSID is the *only* security measure to be used? Hiding the SSID, changing it's name to something not easily guessed, *AND* enabling WPA2 (at least) security are *all* necessary steps to keeping folks from leeching off of your WAP

The *real* security issue here is M$oft's refusal to make it easy for folks to hide their SSID. Linux and MAC OS X don't have this onerous requirement, only the morons at M$oft, who also brought you Internet Exploiter, and every single security compromise ever dreamt of, in one, easy-to-use package (Windows).

re: Myth vs. reality: Wireless SSIDs

Matt — Wed, 31 Dec 2008 16:00:18 GMT

Great article Steve but equally great point @brad, I currently have my SSID hidden and I've also given it some obscure name whilst enabling WPA2, whilst this is not currently possible with VISTA SP1 (if it is I've not found ways to make it work), it is possible with the VISTA SP2 (Beta mind you), I have vista SP2 installed and so far so good.

re: Myth vs. reality: Wireless SSIDs

James — Mon, 05 Jan 2009 19:44:06 GMT

@Brad,

You don't need to "guess" an SSID, so hiding it is pointless.

re: Myth vs. reality: Wireless SSIDs

Steve Riley — Mon, 05 Jan 2009 21:32:48 GMT

@Brad and Matt-- nowhere did I say that hiding an SSID is the *only* security measure. I'm arguing against the notion that hiding an SSID is a good idea at all. If you use the proper security measure -- that is, WPA2 (or WPA if your devices don't support WPA2) -- then that is sufficient for protecting your traffic and keeping people from using your wireless network.

The 802.11 specifications mandate that SSIDs be broadcast. Access point manufacturers added support for hiding SSIDs a long time ago because people were too lazy to do the right thing (use encryption) and demanded the ability to hide. Well, you can't truly hide an AP. So by dropping support in Windows for something that actually breaks the protocol, it helps to improve overall security -- more people will use encryption.

re: Myth vs. reality: Wireless SSIDs

Carl — Mon, 12 Jan 2009 13:53:27 GMT

I don't see why hiding the SSID and using Mac-filtering does not increase the security if you also - as the most important step - use encryption. IMO all extra measures will increase the security - it's one more thing to pass before you hack init someone's network. I don't have wireless network for anyones use but me - so I use encryption and SSID hiding.

re: Myth vs. reality: Wireless SSIDs

Steve Riley — Mon, 12 Jan 2009 21:44:19 GMT

Let's define what "increase security" means. I'll use two definitions:

Reduce the attack surface by eliminating additional potential targets of intrusion
Eliminate a vulnerability or reduce the likelihood of a vulnerability being exploited

When you secure a wireless network with WPA2 using RADIUS or a strong pre-shared key, you have secured that network against all known threats. It is completely unnecessary to hide SSIDs and filter MAC addresses at this point: these additional efforts do not increase security beyond what you've done with WPA2.

And as I have said before, you aren't really hiding anything with these approaches. SSIDs are available in clear-text in 802.11 association frames even if the access points aren't broadcasting their SSIDs. And MAC addresses are always clear-text and are unsigned, therefore they can be spoofed and you'll never know it.

Just because you can do a thing that smells like security, it doesn't mean that you're actually reducing threats.

re: Myth vs. reality: Wireless SSIDs

Khürt Williams — Wed, 04 Mar 2009 19:18:38 GMT

I use WPA2 with a strong pre-shared key on my wireless network. I DO broadcast the SSID and do NOT use MAC address filtering because I saw little value in the security provided. It also made it a lot easier for my family to use my network when visiting.

re: Myth vs. reality: Wireless SSIDs

Mark Coleman — Thu, 09 Apr 2009 19:47:26 GMT

What I think others are trying to point out, as am I, is that not broadcasting SSID's and MAC filtering DO increase security to a degree. When non-technical staff try to find wireless access near them, they simply search with things like Windows WZC- which out of the box ignores non-broadcasting SSID's. So if say 5 in 10 people are non-technical, you've reduced the chance that NON-TECHNICAL people will find your network by AT LEAST 50%. And I'd rather have 50% less people know of it's existence then be "curious" and pursue access to my network. I'm not saying you need to agree with me, it's just my $.02.

re: Myth vs. reality: Wireless SSIDs

cray — Sat, 18 Apr 2009 17:52:20 GMT

@Mark Coleman: Hiding the SSID and using MAC filtering does not increase your security. Sure, you prevent "non-technical" people from seeing your network, but would those non-technical people have had a chance of accessing your network if you employed WPA2? Of course not.

It's like hiding the bank vault only from people who have no idea how to crack a safe in the first place. Those who do know how to crack it can find it. What's the point?

So how did you increase security with these measures?

Hiding the SSID is useless (and harmful). MAC filtering is arguably useful not as a security measure, but as an access control method, assuming the users you're controlling access for are "non-technical" (i.e. stupid in-laws)!

re: Myth vs. reality: Wireless SSIDs

Catemaco — Sat, 25 Apr 2009 03:44:40 GMT

I agree with Mark Coleman. Most people are NOT tech savvy. They don't know what a MAC address, so they're not going to spoof it, and they have no idea how to capture packets on a network. But if they are sitting outside my condo, and see my network SSID, they might just decide to take advantage of it.

And if I've had some problem where I've had to reset my wireless router, and have forgotten to enable encryption, or if I'm like my neighbor, who doesn't seem to know anything about encryption, then I'm in trouble.

Can someone address the question of performance? Does broadcasting or not broadcasting the SSID affect performance? I can pick up, no kidding, 10 different SSID's from my neighbors. Don't their SSID broadcasts increase the interference to my signal?