Seems like every guide to securing your wireless network tells you to keep your SSID from broadcasting to make your network more secure, but is that really worthwhile? Let’s take a look at one of the silliest myths out there.
This myth has been around for a very long time, and we aren’t expecting everybody to receive this news with happy agreement. You’re welcome to state your case in the comments for why hidden wireless networks are a great idea, but we think if you keep reading, you’ll realize that it’s just not a security feature.
Wireless SSIDs Were Never Designed to Be Hidden
Image by Chaotic Good01
It’s never a good sign when manufacturers create technologies that don’t follow the agreed-upon spec documents that ensure interoperability between vendors—it’s usually a way for them to make more money with vendor lock-in features that require you to buy their hardware.
An SSID is a network name, not — I repeat, not — a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won’t provide your network with any kind of protection if you try to hide it.
Obviously feature demand drives the specifications, so even though everybody eventually supported hidden SSIDs, the point is that there’s no extra protection from hiding your SSID. Read on.
Finding Hidden SSIDs Is a Trivial Task
It’s extremely easy to find the ID for a “hidden” network—all you have to do is use a utility like inSSIDer, NetStumbler, or Kismet to scan the network for a short while to show all of the current networks out there. It’s really that simple, and there’s plenty of other tools that do the same job.
Don’t believe me? Grab a copy, start it up, and then click the Start Scanning button—within a minute you’ll see a list of every single network in range. You can then identify which ones are using WEP and start cracking them.
Update: Some commenters have complained that you can’t see the networks… and we should clarify: hidden networks show up as Unknown in version 1 of this particular tool, but they do show all of the other data about the network, including the encryption type and MAC address. Version 2.0 of inSSIDer actually does show the SSID for a hidden network. You’ll see in this screenshot the lhdevnet network, which I’ve hidden on the router.
Real hackers are going to be using tools like Kismet and Aircrack to figure out the SSID before they crack your network, so whether or not a particular tool is showing the right data is beside the point. Should also note that you can use this tool to figure out how to change the wireless router channel and optimize your Wi-Fi signal.
Hidden Wireless Networks Are a Pain to Deal With
Now that you know how simple it really is for people to find your ID, wouldn’t you rather use the default networking configurations where you can easily select the network from a list? Why go through all the steps required to connect to a hidden network?
For instance, on your Windows 7 box, you’ll have to go to Network and Sharing Center –> Manage Wireless Networks –> Add –> Manually Create a network profile to get to the screen where you can start entering all the details for the hidden network. For a network that is broadcasting, all you have to do is click twice.
And that’s just Windows 7, which makes wireless networking easy—having to go through all the configuration screens on every single one of your devices is just ridiculous.
Hiding the Network Leads to Potential Connection Problems
This isn’t quite as much of a problem since Windows 7 came along, but back in the Windows XP days, there were quite a few connection problems when you were using a hidden SSID, not to mention getting disconnected and connecting to the wrong network. Basically, Windows would automatically try to connect to a less preferred network that was broadcasting instead of a preferred network with a hidden SSID—the only way around it was to disable automatic connection to the broadcasting one, which was annoying as well.
The same thing holds true with some other devices—I’ve seen problems with Android phones, and you can just do some quick Google searches to find loads of other issues that are all resolved by not using a hidden SSID.
There’s another problem with hiding your wireless network name: depending on the device, many devices won’t let you automatically connect to a hidden network, and if you have automatic connection enabled, you’re actually leaking your network name, as we’ll explore below.
Hidden Wireless SSIDs Actually Leak Your SSID Name
When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.
Microsoft’s Technet explains exactly why hidden SSIDs are not a security feature, especially with older clients:
A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.
Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks.
The behavior is a little better in Windows 7 or Vista as long as you don’t have automatic connection enabled—the only way to be sure that you’re not leaking the network name is to disable automatic connection to wireless networks with a hidden SSID. Microsoft’s explanation:
The Connect even if the network is not broadcasting check box determines whether the wireless network broadcasts (cleared, the default value) or does not broadcast (selected) its SSID. When selected, Wireless Auto Configuration sends probe requests to discover if the non-broadcast network is in range.
How Should You Secure Your Network Then?
When it comes to wireless network security, there’s really only one rule that you need to follow: Use WPA2 encryption, and make sure that you are using a strong network key. If you’re on a wireless hotspot that isn’t your own, be sure to read our guide to keeping secure on a public wireless hotspot.
If you’re not using encryption, or you’re using the pathetic WEP encryption scheme, it doesn’t matter whether you hide your SSID, filter MAC addresses, or cover your head in tin foil—your network is wide open for hacking in a matter of minutes.
Myth status: Debunked.
Monday, September 13, 2010
Debunking Myths: Is Hiding Your Wireless SSID Really More Secure?