SSID Isnít Hidden Forever
Originally Published by Wi-Fi
Planet on January 10, 2006 -
security practice among wireless network administrators is to disable
Service Set Identifier (SSID) broadcasting on wireless access points
or routers. The reason is that disabling SSID broadcasting is supposed
to hide and protect their wireless network. Even if an individual
knows there is a wireless network at a certain location, this person
must know the SSID to establish a connection with the network.
hiding the SSID by disabling SSID broadcasting helps to prevent others
from connecting to the network. Donít let this give you a false
sense of security, however. People with the right equipment can easily
retrieve the SSID of the network.
As a default
configuration, the beacons sent from wireless access points or
routers, which notify wireless clients of nearby networks, contain the
SSID. The SSID, for example, shows up in Windows XPís list of
available wireless networks.
SSID broadcasting is disabled, the SSID isnít sent in the beacons.
This keeps the network from showing up in Windows, and in the end,
along with other security measures like encryption, it helps protect
your wireless network.
As an example,
imagine that Brian pops open his laptop in the local coffee shop right
next to your office that you recently decked out with the newest
802.11g equipment. After booting into Windows XP, he views the
available wireless networks. Your network doesnít show up, even
though heís close enough to pick up a signal.
If you hadnít
disabled SSID broadcasting in your officeís network, Brian would see
yours listed as an available wireless network. If your network isnít
secured by encryption, Brain could connect through your network and
access the Internet and any shared files on your computers.
broadcasting from your wireless access point or routerís beacons,
however, doesnít prevent hackers or war drivers from detecting your
wireless network and even the SSID. If Brian were a wireless hacker,
he could open a legitimate software program such as AirMagnet,
and easily find your networkís SSID.
picks up the SSID from other packets sent from wireless devices on the
network. The SSID is contained in the 802.11 association request, and
in certain instances, the probe request and response packets as well,
even though you have SSID broadcasting disabled. For example, the SSID
of your network could be found by AirMagnet when a computer on your
network is booted up and causes the wireless client to send an
association request packet to the wireless access point to gain access
to the network.
wardrivers can also use tools like AirJack
to reveal a hidden networkís SSID on demand. These tools usually
work by sending a spoofed 802.11 Deauthentication frame to a
particular wireless client. This causes the wireless client to
re-authenticate and re-associate with the access point. The tools can
then quickly capture the SSID of the network from the association
In the Test
To prove what
Iím saying above is accurate, Iíll share with you my experience in
the Lab. Warning: Hard hats required beyond this point!
|I booted up
AirMagnetís Laptop Analyzer to verify that the test network
was closed (SSID broadcasted disabled). As you can see in the
figure (click for the full screen), the SSID isnít contained
in the beacons. As expected, the SSID field is blank.
|I then captured
packets while booting up my laptop. As you can see in this
figure (click for full screen), the Association Request frame
from the laptopís wireless client contains the SSID of the
network, which is WirelessGuru. Now, thatís a problem.
I also noticed
that, occasionally, the wireless client on the seemingly hidden
network would broadcast probe requests, and the access point would
reply with the closed networkís SSID. This scenario provides yet
another way for wireless analyzers to pick up the hidden SSID. Probe
responses are part of the active scanning method wireless clients use
to find networks. Thus, a hacker can get the SSID immediately, without
having to wait until a user connects to the network. Manufacturers
implement scanning methods in different ways; the process wonít be
the same for all wireless clients.
Okay, what do
you really need to know about disabling SSID broadcasting? Keep the
following in mind:
disabling of SSID broadcasting may help secure your wireless
network by hiding your network from casual users.
available analysis tools will spot the networkís SSID in a
matter of time, no matter what you do.
the hidden SSID feature on your network doesnít excuse you from
using other methods like WEP or WPA to further secure your
depend too much on disabling SSID broadcasting for securing your