Your SSID Isn't Hidden Forever
January 10, 2006
Dont let the disabling of SSID broadcasting give you a false sense of security. Learn what really happens.
A common security practice among wireless network administrators is to disable Service Set Identifier (SSID) broadcasting on wireless access points or routers. The reason is that disabling SSID broadcasting is supposed to hide and protect their wireless network. Even if an individual knows there is a wireless network at a certain location, this person must know the SSID to establish a connection with the network.
Therefore, hiding the SSID by disabling SSID broadcasting helps to prevent others from connecting to the network. Dont let this give you a false sense of security, however. People with the right equipment can easily retrieve the SSID of the network.
The SSID Broadcasting Option
However, when SSID broadcasting is disabled, the SSID isnt sent in the beacons. This keeps the network from showing up in Windows, and in the end, along with other security measures like encryption, it helps protect your wireless network.
As an example, imagine that Brian pops open his laptop in the local coffee shop right next to your office that you recently decked out with the newest 802.11g equipment. After booting into Windows XP, he views the available wireless networks. Your network doesnt show up, even though hes close enough to pick up a signal.
If you hadnt disabled SSID broadcasting in your offices network, Brian would see yours listed as an available wireless network. If your network isnt secured by encryption, Brain could connect through your network and access the Internet and any shared files on your computers.
Detecting a Non-Broadcasted SSID
Disabling SSID broadcasting from your wireless access point or routers beacons, however, doesnt prevent hackers or war drivers from detecting your wireless network and even the SSID. If Brian were a wireless hacker, he could open a legitimate software program such as AirMagnet, and easily find your networks SSID.
AirMagnet picks up the SSID from other packets sent from wireless devices on the network. The SSID is contained in the 802.11 association request, and in certain instances, the probe request and response packets as well, even though you have SSID broadcasting disabled. For example, the SSID of your network could be found by AirMagnet when a computer on your network is booted up and causes the wireless client to send an association request packet to the wireless access point to gain access to the network.
Hackers and wardrivers can also use tools like AirJack to reveal a hidden networks SSID on demand. These tools usually work by sending a spoofed 802.11 Deauthentication frame to a particular wireless client. This causes the wireless client to re-authenticate and re-associate with the access point. The tools can then quickly capture the SSID of the network from the association request frame.
In the Test Lab
To prove what Im saying above is accurate, Ill share with you my experience in the Lab. Warning: Hard hats required beyond this point!
I booted up AirMagnets Laptop Analyzer to verify that the test network was closed (SSID broadcasted disabled). As you can see in the figure (click for the full screen), the SSID isnt contained in the beacons. As expected, the SSID field is blank.
I then captured packets while booting up my laptop. As you can see in this figure (click for full screen), the Association Request frame from the laptops wireless client contains the SSID of the network, which is WirelessGuru. Now, thats a problem.
I also noticed that, occasionally, the wireless client on the seemingly hidden network would broadcast probe requests, and the access point would reply with the closed networks SSID. This scenario provides yet another way for wireless analyzers to pick up the hidden SSID. Probe responses are part of the active scanning method wireless clients use to find networks. Thus, a hacker can get the SSID immediately, without having to wait until a user connects to the network. Manufacturers implement scanning methods in different ways; the process wont be the same for all wireless clients.
Things to Remember
Okay, what do you really need to know about disabling SSID broadcasting? Keep the following in mind:
- The disabling of SSID broadcasting may help secure your wireless network by hiding your network from casual users.
- Readily available analysis tools will spot the networks SSID in a matter of time, no matter what you do.
- Using the hidden SSID feature on your network doesnt excuse you from using other methods like WEP or WPA to further secure your network.
Just dont depend too much on disabling SSID broadcasting for securing your network.
Eric Geier is a computing and wireless networking author and consultant. He is employed with Wireless-Nets, Ltd., a consulting firm focusing on the implementation of wireless mobile solutions and training. He is an author of Geeks on Call - Wireless Networking: 5-Minute Fixes and Geeks on Call - PCs: 5-Minute Fixes, published by John Wiley & Sons.