The Non-Broadcast SSID debate

[Bob.]

There seems to be 2 camps regarding the issue of non-broadcast ssid's and weather or not it is a "security feature".

There are credible sources on each side of this debate, so it's difficult to land on one side or the other. I am broadcasting my SSID and have for quite some time. I also don't use the wireless MAC filter. http://blogs.technet.com/b/networki...-hidden-wireless-networks-are-a-bad-idea.aspx

Google the terms non-broadcast SSID and you'll see the diverse opinions.

Even a TechNet blog states that non-broadcasting SSIDs are not only not a security feature, they actually recommend against non-broadcast:

Non-broadcast Wireless SSIDs - bad idea

So I'm curious as to what the consensus here is?

 

[Ayah]

because anyone scanning for APs to crack will see broadcasted and non-broadcasted SSIDs as connectable/targetable nodes.

 

[drebo]

It's not a security feature. It's simply a bit in the SSID that tells cooperating systems not to show it in the list of "found" wireless networks. It's meaningless. Load up InSSIDer or any number of other spectrum analysis tools that are freely available and you can see them.

Also, MAC filtering is equally useless. If you have the encryption key, you can easily snoop (remember, wifi is a simplex connection) an allowed MAC and spoof your way in. If you have encryption that's not well known, there's no reason to MAC filter.

A good WPA2 AES preshared key is more than enough for any home or small business user.

 

[Tsavo]

It's not a security feature. It's simply a bit in the SSID that tells cooperating systems not to show it in the list of "found" wireless networks. It's meaningless. Load up InSSIDer or any number of other spectrum analysis tools that are freely available and you can see them.

Also, MAC filtering is equally useless. If you have the encryption key, you can easily snoop (remember, wifi is a simplex connection) an allowed MAC and spoof your way in. If you have encryption that's not well known, there's no reason to MAC filter.

A good WPA2 AES preshared key is more than enough for any home or small business user.

^ That's all there is to it.

 

[Bob.]

Thanks for the comments. I agree with what's been stated here. The real mystery is why the "controversy" exists at all? I have a friend who is attending an Information Security course at a respected college. According to him, the professor, who has serious credentials, insists that NB SSID's are an essential security layer. Huh?

And you can see from the google search that there are many who believe that as well.

 

[nsafreak]

Thanks for the comments. I agree with what's been stated here. The real mystery is why the "controversy" exists at all? I have a friend who is attending an Information Security course at a respected college. According to him, the professor, who has serious credentials, insists that NB SSID's are an essential security layer. Huh?

And you can see from the google search that there are many who believe that as well.

For some reason there's still some security "experts" that insist on a security by obscurity layer. Why this is I really have no idea, my best guess is that they're stubborn or they're "more layers is better" type thinkers. If you have a good WPA2 AES encrypted key already you could add the MAC filtering & stop broadcasting your SSID as another "layer" but really it's not an effective layer at all.

 

[mikeymikec]

Security through obscurity can be a useful layer of defence, though its effectiveness depends on what you're trying to protect (say a wifi network) from.

If the standard tool used to detect wifi networks (by the sort of people you're trying to protect your network from) detects non-broadcast SSIDs, then it sounds like a useless layer of defence.

I'm guessing that there are two groups one would want to protect their wifi network from:

1) Freeloaders
2) People who are trying to target your network in particular

The freeloaders might not go so far as to run a tool that detected non-broadcast-SSID networks, but then I imagine that they would probably be repelled by any network except ones with no encryption or something minimal like WEP.

The second group I'm pretty sure would come prepared and would do a bit of promiscuous network scanning, so not broadcasting your SSID makes little sense.

IMO it does sound pointless to not broadcast your SSID, but I can't claim any real experience of say having to investigate a wifi network breach (except, "errr, this network has no password"), I just force WPA2AES with a reasonably long password.

Wouldn't it be cool if wireless adapters / routers had the ability to handle a third party plugin to set up some custom encryption on a network?

 

[Red Squirrel]

It's similar to netbios shares that are "hidden". it just tells the client to not show it. That said, if you have a public network with no password that you don't want everyone connecting to you could set it as hidden so people's devices don't keep auto connecting to it. This is NOT a security thing though, someone who wants to connect will.

 

[Bob.]

Anyone with a smartphone and free wifi analyzer installed can see the network is there, and learning how to sniff out the name is just a youtube video away.

 

[cubby1223]

There seems to be 2 camps regarding the issue of non-broadcast ssid's and weather or not it is a "security feature".

There are credible sources on each side of this debate

No, there are no credible sources on the side of "not broadcasting the ssid is a security feature". This whole premise of this thread is flawed.

 

[JackMDS]

There seems to be 2 camps regarding the issue of non-broadcast ssid's and weather or not it is a "security feature".

There use to be 2 camps 5 years ago (and most of it is still On under old date).

These days for whoever takes it objectively and are Not Noob there is No 2 camps.

No broadcasting is No security feature, further more on most regular Entry Level Wireless networks it usually destabilizes the connection.

 

[RadiclDreamer]

Its not a security feature, its still visible given the correct tools (which anyone trying to hack would have) it breaks compatibility with some devices and is universally a pain in the behind. Just dont do it.

 

[Bob.]

There use to be 2 camps 5 years ago (and most of it is still On under old date).

These days for whoever takes it objectively and are Not Noob there is No 2 camps.

Yet there is still some debate, thus the reason for my post. While I agree that many of the articles endorsing hidden SSIDs are aged (yet not all...), there is (surprisingly) a local debate in my area (large city, nationally respected college, highly credentialed sources), of which I am one of the few dissenting voices.

There is also the fact that the setting still exists on most or all router's wireless main page with no explanation of the realities. As Red Squirrel mentions, there may be a few legitimate reasons to hide SSID, but very few, and, since we here seem to be in agreement, it's pretty clear that non-broadcasting is undesirable in most cases.

Yet the router setting still exists, front and center. And this, IMO, contributes to the pro (albeit incorrect) non-broadcast perspective.

And perhaps you are correct when you imply that only a 'noob' would believe that. This makes the presence of the hide setting all the more baffling, since the majority of the computer using world is comprised of noobs. What may seem like a no-brainer to you is quite something else to the average computer user. The setting will likely encourage the fallacy.

No broadcasting is No security feature, further more on most regular Entry Level Wireless networks it usually destabilizes the connection.

Re-reading my OP and subsequent post (#5) should provide clarity. My puzzlement is regarding the controversy, not whether NB SSID is a security feature.

To all: Thanks for your responses.

 

[JackMDS]

Yet the router setting still exists, front and center. And this, IMO, contributes to the pro (albeit incorrect) non-broadcast perspective.

About 90% of Wireless Router settings have to stay on Default when used in Regular End Users Environment.

The Menu Entries are there because Wireless Router are also used in Variety of Commercial, Corporate, and other High End Uses were switching Off the Broadcasting might be preferable.

 

[Fardringle]

The reason there is still any 'debate' on the subject is because people like to believe what they want to believe, no matter what the actual evidence says.

Anyone that actually knows anything about wireless networks knows that hiding the SSID is not a valid security feature. It has about the same effect as not putting your house number on your mailbox in order to avoid getting junk mail. It might take the mail delivery person a few extra seconds to verify the correct address, but that's it, you'll still get the mail because you haven't really hidden anything at all.

 

[BonzaiDuck]

All my posts over the last couple weeks deal with a six-year-old laptop I've acquired and upgraded. I'm not unfamiliar with "wireless" networking: I've set up two wireless configurations over the last then years. The laptop acquisition has now enabled me to open up the wireless features of my CISCO router. It was a matter of a few minutes.

I've also been testing different wireless adapters for the laptop. One of them "didn't take," and I didn't want to waste time further. I've got 5G and am not using any of channels 1 to 11. Of course the biggest concern has been security.

I now find my neighbors, who are even more visible through Vistumbler, have left open unsecured and unencrypted access to their networks. Just finding the possibility that they have done so got me working to tie up my own nest here.

I guess I can't make up my mind to tell them about their vulnerabilities. They might think I'm a busy-body.

As for the SSID issue. Testing one wireless adapter (which I didn't like very much), I discovered that it masks the name of my router SSID with a different name. This "security" feature is probably the reason that particular adapter gave me so much trouble.

Suppose a neighbor sees your SSID? Could he figure out your router password? Even if he could, you might have disabled the ability to administer the network from other than wired connections. But not being a hacker myself, I can only do my best to erect safeguards and barriers -- and obviously, WPA2/AES.

 

[Bob.]

I guess I can't make up my mind to tell them about their vulnerabilities. They might think I'm a busy-body.

I'd consider that a service.

Suppose a neighbor sees your SSID? Could he figure out your router password? Even if he could, you might have disabled the ability to administer the network from other than wired connections. But not being a hacker myself, I can only do my best to erect safeguards and barriers -- and obviously, WPA2/AES.

Use a strong password and you should be fine. My pw is 42 random characters, including numbers and special characters. I keep my passwords in the free Password Safe:

http://passwordsafe.sourceforge.net/

When I need to connect a device (rarely, since my only wireless is a laptop and a few smartphones), I just paste the pw into a txt file and use a usb key to paste it to the device.

Most who hack into networks are looking for the easy target. Your neighbor, for instance. :whiste:

 

[Bob.]

The Menu Entries are there because Wireless Router are also used in Variety of Commercial, Corporate, and other High End Uses were switching Off the Broadcasting might be preferable.

And they are also in low end consumer routers.

 

[imagoon]

Really all that "hiding" the SSID does is set the beacon frames SSID field to null. If there are no other devices attached to the WAP then it is effectively hidden only because there are no frames with the SSID (there are 4[? I think] other frames that have the SSID field) but they require something to chat to be sent. However I think you can send a sync frame over the air and the unit may reply so that may cause the SSID to be transmitted. So in a large environment like an office, it is completely useless as there is always something connected. At home it may be fairly masked if nothing is attached but that is becoming rare as most people have cell phones etc that are connected all night which then broadcast the SSID all over which would let netstumbler and inSSIDer find it in milliseconds.

 

[KingFatty]

The only use for hiding it would be if you have a naughty SSID name and would be embarrassed to have your non-techie neighbors see it...

 

[Lorne]

I have tried both setting over the years and ups and downs with both.

Early days I had to set it to broadcast otherwise wireless clients randomly wouldnt connect at all, And would have constant hits from other locals trying to hack in.
Early days of hardwire, left wireless on and just hid the SSID and no hacking at all.

Few years later they made improvements in host client comunications and had to only turn on the SSID to add new clients, Had alot of messages of yahoos (Not the company) trying to hack in again and turned it off.

Today with phones and other devices I just leave SSID broadcast on all the time or there is to many issue require me to turn it back on and just dont care.
To many idiots DL bugs and opening the doors behind the wireless, I just keep myself invisable on the lan port.
Still get the same amount of local punk wannabe hackers hitting it.

It only helps to deture local wannabe hackers.
You cant stop determination.

 

[Bob.]

Really all that "hiding" the SSID does is set the beacon frames SSID field to null. If there are no other devices attached to the WAP then it is effectively hidden only because there are no frames with the SSID (there are 4[? I think] other frames that have the SSID field) but they require something to chat to be sent. However I think you can send a sync frame over the air and the unit may reply so that may cause the SSID to be transmitted. So in a large environment like an office, it is completely useless as there is always something connected. At home it may be fairly masked if nothing is attached but that is becoming rare as most people have cell phones etc that are connected all night which then broadcast the SSID all over which would let netstumbler and inSSIDer find it in milliseconds.

That's a good explanation of the process. Thanks! It sounds similar to to what the analogy in the 2nd link in the OP attempts to portray.

 

[Bob.]

The only use for hiding it would be if you have a naughty SSID name and would be embarrassed to have your non-techie neighbors see it...

It sounds as though you speak from experience.

Still get the same amount of local punk wannabe hackers hitting it.

How do you tell it's being hit?

It only helps to deture local wannabe hackers.
You cant stop determination.

The original adage was: Locks are for honest people.

 

[ch33zw1z]

Just broadcast it, it's not security. Make sure to be using WPA2 with a nice long password and you'll be fine.

 

[seepy83]

There is no debate. Not broadcasting an SSID does nothing for security, and it causes stability and performance problems. Anyone who says it adds security is out of touch with reality, and can be shown the err in their opinion in about 2 minutes. I don't care what credentials they have. Slap my CISSP, GCWN, and GSEC certifications on that if you're looking for credentials.