Your SSID Isn't Hidden Forever

By Eric Geier

January 10, 2006

Don’t let the disabling of SSID broadcasting give you a false sense of security. Learn what really happens.

A common security practice among wireless network administrators is to disable Service Set Identifier (SSID) broadcasting on wireless access points or routers. The reason is that disabling SSID broadcasting is supposed to hide and protect their wireless network. Even if an individual knows there is a wireless network at a certain location, this person must know the SSID to establish a connection with the network.

Therefore, hiding the SSID by disabling SSID broadcasting helps to prevent others from connecting to the network. Don’t let this give you a false sense of security, however. People with the right equipment can easily retrieve the SSID of the network.

The SSID Broadcasting Option

As a default configuration, the beacons sent from wireless access points or routers, which notify wireless clients of nearby networks, contain the SSID. The SSID, for example, shows up in Windows XP’s list of available wireless networks.

However, when SSID broadcasting is disabled, the SSID isn’t sent in the beacons. This keeps the network from showing up in Windows, and in the end, along with other security measures like encryption, it helps protect your wireless network.

As an example, imagine that Brian pops open his laptop in the local coffee shop right next to your office that you recently decked out with the newest 802.11g equipment. After booting into Windows XP, he views the available wireless networks. Your network doesn’t show up, even though he’s close enough to pick up a signal.

If you hadn’t disabled SSID broadcasting in your office’s network, Brian would see yours listed as an available wireless network. If your network isn’t secured by encryption, Brain could connect through your network and access the Internet and any shared files on your computers.

Detecting a Non-Broadcasted SSID

Disabling SSID broadcasting from your wireless access point or router’s beacons, however, doesn’t prevent hackers or war drivers from detecting your wireless network and even the SSID. If Brian were a wireless hacker, he could open a legitimate software program such as AirMagnet, and easily find your network’s SSID.

AirMagnet picks up the SSID from other packets sent from wireless devices on the network. The SSID is contained in the 802.11 association request, and in certain instances, the probe request and response packets as well, even though you have SSID broadcasting disabled. For example, the SSID of your network could be found by AirMagnet when a computer on your network is booted up and causes the wireless client to send an association request packet to the wireless access point to gain access to the network.

Hackers and wardrivers can also use tools like AirJack to reveal a hidden network’s SSID on demand. These tools usually work by sending a spoofed 802.11 Deauthentication frame to a particular wireless client. This causes the wireless client to re-authenticate and re-associate with the access point. The tools can then quickly capture the SSID of the network from the association request frame.

In the Test Lab

To prove what I’m saying above is accurate, I’ll share with you my experience in the Lab. Warning: Hard hats required beyond this point!

AirMagnet show no SSIDI booted up AirMagnet’s Laptop Analyzer to verify that the test network was closed (SSID broadcasted disabled). As you can see in the figure (click for the full screen), the SSID isn’t contained in the beacons. As expected, the SSID field is blank.

SSID RevealedI then captured packets while booting up my laptop. As you can see in this figure (click for full screen), the Association Request frame from the laptop’s wireless client contains the SSID of the network, which is WirelessGuru. Now, that’s a problem.

I also noticed that, occasionally, the wireless client on the seemingly hidden network would broadcast probe requests, and the access point would reply with the closed network’s SSID. This scenario provides yet another way for wireless analyzers to pick up the hidden SSID. Probe responses are part of the active scanning method wireless clients use to find networks. Thus, a hacker can get the SSID immediately, without having to wait until a user connects to the network. Manufacturers implement scanning methods in different ways; the process won’t be the same for all wireless clients.

Things to Remember

Okay, what do you really need to know about disabling SSID broadcasting? Keep the following in mind:

  • The disabling of SSID broadcasting may help secure your wireless network by hiding your network from casual users.
  • Readily available analysis tools will spot the network’s SSID in a matter of time, no matter what you do.
  • Using the hidden SSID feature on your network doesn’t excuse you from using other methods like WEP or WPA to further secure your network.

Just don’t depend too much on disabling SSID broadcasting for securing your network.

Eric Geier is a computing and wireless networking author and consultant. He is employed with Wireless-Nets, Ltd., a consulting firm focusing on the implementation of wireless mobile solutions and training. He is an author of Geeks on Call - Wireless Networking: 5-Minute Fixes and Geeks on Call - PCs: 5-Minute Fixes, published by John Wiley & Sons.

Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.