Myth vs. reality: Wireless SSIDs


Do you ever wonder sometimes how it is that some ideas just won’t die? Like the thought that not broadcasting your wireless network’s SSID will somehow make you more secure? This is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.

Folks, there are fundamental differences between names, which are public claims of identities, and authenticators, which are secrets used to prove identities, and I’ve written extensively about this before. An SSID is a network name, not — I repeat, not — a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won’t provide your network with any kind of protection if you try to hide it. It’s a violation of the 802.11 specification to keep your SSID hidden; the 802.11i specification amendment (which defines WPA2, discussed later) even states that a computer can refuse to communicate with an access point that doesn’t broadcast its SSID. And, even if you think your SSID is hidden, it really isn’t. Let me explain.

All 802.11 wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer, or “supplicant” in the 802.11 protocol vernacular, emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.

Both Windows XP and Vista work best when your access points broadcast their SSIDs. XP really doesn’t behave well at all with nonbroadcasting SSIDs. Vista has some added smarts to improve this a bit. Normally, Vista continually sends probe requests for nonbroadcasting networks. These probes are similar to unencrypted 802.11 association frames, and will generate clear-text responses from the access points if a nonbroadcasting network is present. You can reduce, but not entirely eliminate, these probes by configuring the wireless client to probe only for automatically-connected nonbroadcasting networks.

Both these behaviors make it very easy for an attacker to discover your SSID. The bad guy, perhaps a contractor or a guest in your facility, could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of “hiding” configured in your access points can prevent this kind of traffic interception.

So there you have it, simple SSID discovery. The old axiom remains true: security by obscurity is no security at all. Hiding an SSID will not hide a wireless network, so ignore any such advice — and it’s amazing how often I continue to see this. By the way, also ignore any advice that says to use MAC address filtering. It’s amazingly trivial to spoof the MAC address of an allowed supplicant — simply sniff the traffic, look at the MAC addresses, and use the neat little SMAC utility to change your MAC to one that’s permitted.

Nonbroadcasting networks are not secure networks. The right way to secure a wireless network is to use protocols that are designed specifically to address wireless network threats. If you’re still using WEP, either static or dynamic, I encourage you to move to WPA2 as soon as possible. For those of you at home running XP and have kept it updated, or if you’re running Vista, then, you simply need to enable WPA2. We’ve got some additional guidance for home/small offices and for enterprise networks with certificate services or without. If you have hardware that’s more than two years old and you can’t upgrade it, check to see whether it supports WPA (an interim specification released before WPA2 was ratified). Both WPA and WPA2 are built on sound cryptographic principles, they’re proven in the field, and they’ll keep the bad guys out — even when you’re broadcasting your SSID to the world.

Comments (27)

  1. Anonymous says:

    In Microsoft CTS Network support, we frequently need to troubleshoot wireless connectivity issues. These

  2. Anonymous says:

    Info on SSID http://blogs.technet.com/steriley/archive/2007/10/16/myth-vs-reality-wireless-ssids.aspx — ===== Glenn ===== 2007/10/24 Hi! I will be posting here some blog links that I think will be usefull for all Engineer. You can expect that mo…

  3. Anonymous says:

    Steve Riley has a great post on why hiding your SSID doesn’t make your wireless network more secure.

  4. Anonymous says:

    In questo articolo apparso sul suo blog, Steve Riley vuole sfatare il mito secondo cui utilizzare un

  5. Anonymous says:

    SMAC is a powerful, yet easy to use MAC Address Changer (Spoofer) for Windows VISTA, 2003, XP, and 2000

  6. Anonymous says:

    Let’s define what “increase security” means. I’ll use two definitions:

    • Reduce the attack surface by eliminating additional potential targets of intrusion
    • Eliminate a vulnerability or reduce the likelihood of a vulnerability being exploited

    When you secure a wireless network with WPA2 using RADIUS or a strong pre-shared key, you have secured that network against all known threats. It is completely unnecessary to hide SSIDs and filter MAC addresses at this point: these additional efforts do not increase security beyond what you’ve done with WPA2.

    And as I have said before, you aren’t really hiding anything with these approaches. SSIDs are available in clear-text in 802.11 association frames even if the access points aren’t broadcasting their SSIDs. And MAC addresses are always clear-text and are unsigned, therefore they can be spoofed and you’ll never know it.

    Just because you can do a thing that smells like security, it doesn’t mean that you’re actually reducing threats.

  7. Anonymous says:

    Hiding an SSID will not hide a wireless network

  8. Anonymous says:

    Good article on SSIDs and why it doesn’t make sense (well at least in most cases) to hide the SSID in

  9. Anonymous says:

    For those of us still on Windows XP SP2 here is the KB link to add WPA2 support on Windows XP  http://support.Microsoft.com/?id=893357

    pretty handy.

    as usual great article Steve 🙂

  10. Anonymous says:

    DanielD– Thanks for letting me know about this. I will try to get it fixed.

  11. Anonymous says:

    @Brad and Matt– nowhere did I say that hiding an SSID is the *only* security measure. I’m arguing against the notion that hiding an SSID is a good idea at all. If you use the proper security measure — that is, WPA2 (or WPA if your devices don’t support WPA2) — then that is sufficient for protecting your traffic and keeping people from using your wireless network.

    The 802.11 specifications mandate that SSIDs be broadcast. Access point manufacturers added support for hiding SSIDs a long time ago because people were too lazy to do the right thing (use encryption) and demanded the ability to hide. Well, you can’t truly hide an AP. So by dropping support in Windows for something that actually breaks the protocol, it helps to improve overall security — more people will use encryption.

  12. Ben Knight says:

    Hey Steve,

    Excellent article. Goes absolutely hand in hand with the lecture I had a Uni today! It’s amazing the amount of confusion and false sense of security surrounding wireless, even amongst IT students.

  13. rod says:

    Thank you.  I work as Level II support for a wireless manufacturer (for the WISP market, not the wireless inside the house variety) and you’d be amazed how many WISPs think that things will be much more secure if they just hide the SSID.  

  14. Simon Sterne says:

    It is an excellent article regarding the flaws found in the SSID and MAC address filtering.Regardless of their weak points,they can, however, help reveal the ids of the snooping individual’s MACs and SSIDs to some degree. I have two notebooks wirelessly connected to each other by a point-2-point bridge.The wireles bridge then connects 2 a network of six Windows 9x systems.In all,I have a wired network connected 2 a wireless network via an access point which works as a router to connect the Windows 9x systems 2 the network.Given the small size of my home network,is it practical to buy the WPA or WPA2 security software?So far I seem to have no security problem I am ware of with my petit network.By the way,the notebooks are installed with Windows 2000 Professional.

  15. Simon Sterne says:

    It is an excellent article regarding the flaws found in the SSID and MAC address filtering.Regardless of their weak points,they can, however, help reveal the ids of the snooping individual’s MACs and SSIDs to some degree. I have two notebooks wirelessly connected to each other by a point-2-point bridge.The wireles bridge then connects 2 a network of six Windows 9x systems.In all,I have a wired network connected 2 a wireless network via an access point which works as a router to connect the Windows 9x systems 2 the network.Given the small size of my home network,is it practical to buy the WPA or WPA2 security software?So far I seem to have no security problem I am ware of with my petit network.By the way,the notebooks are installed with Windows 2000 Professional.

  16. Andy Dowling says:

    I’m always surprised by the dozen or so unsecured, publicly accessible WAPs in my neighborhood (in Hong Kong) that have SSID broadcasting disabled. It’s a bit like saying, "I can’t be bothered to secure this, but it’s a private network, ok?"

    Disabling SSID broadcasting probably does provide them with a little security though, since there are so many other publicly accessible WAPs present in the area that they’re unlikely to get too much attention.

  17. Danield says:

    This is great article and I totally agree with it. Too bad that it wasn’t read by the people who prepared the questions for "Microsoft Security Assesment Tool". I lost points because my AP SSID is not hidden.

  18. brad says:

    Wait a mo – who said that hiding an SSID is the *only* security measure to be used?  Hiding the SSID, changing it’s name to something not easily guessed, *AND* enabling WPA2 (at least) security are *all* necessary steps to keeping folks from leeching off of your WAP

    The *real* security issue here is M$oft’s refusal to make it easy for folks to hide their SSID.  Linux and MAC OS X don’t have this onerous requirement, only the morons at M$oft, who also brought you Internet Exploiter, and every single security compromise ever dreamt of, in one, easy-to-use package (Windows).

  19. Matt says:

    Great article Steve but equally great point @brad, I currently have my SSID hidden and I’ve also given it some obscure name whilst enabling WPA2, whilst this is not currently possible with VISTA SP1 (if it is I’ve not found ways to make it work), it is possible with the VISTA SP2 (Beta mind you), I have vista SP2 installed and so far so good.

  20. james says:

    @Brad,

    You don’t need to "guess" an SSID, so hiding it is pointless.

  21. carl says:

    I don’t see why hiding the SSID and using Mac-filtering does not increase the security if you also – as the most important step – use encryption. IMO all extra measures will increase the security – it’s one more thing to pass before you hack init someone’s network. I don’t have wireless network for anyones use but me – so I use encryption and SSID hiding.

  22. Khürt Williams says:

    I use WPA2 with a strong pre-shared key on my wireless network.  I DO broadcast the SSID and do NOT use MAC address filtering because I saw little value in the security provided.  It also made it a lot easier for my family to use my network when visiting.

  23. Mark Coleman says:

    What I think others are trying to point out, as am I, is that not broadcasting SSID’s and MAC filtering DO increase security to a degree.  When non-technical staff try to find wireless access near them, they simply search with things like Windows WZC- which out of the box ignores non-broadcasting SSID’s.  So if say 5 in 10 people are non-technical, you’ve reduced the chance that NON-TECHNICAL people will find your network by AT LEAST 50%.  And I’d rather have 50% less people know of it’s existence then be "curious" and pursue access to my network.  I’m not saying you need to agree with me, it’s just my $.02.

  24. CRAY says:

    @Mark Coleman: Hiding the SSID and using MAC filtering does not increase your security.  Sure, you prevent "non-technical" people from seeing your network, but would those non-technical people have had a chance of accessing your network if you employed WPA2?  Of course not.

    It’s like hiding the bank vault only from people who have no idea how to crack a safe in the first place.  Those who do know how to crack it can find it.  What’s the point?

    So how did you increase security with these measures?

    Hiding the SSID is useless (and harmful).  MAC filtering is arguably useful not as a security measure, but as an access control method, assuming the users you’re controlling access for are "non-technical" (i.e. stupid in-laws)!

  25. Catemaco says:

    I agree with Mark Coleman.  Most people are NOT tech savvy.  They don’t know what a MAC address, so they’re not going to spoof it, and they have no idea how to capture packets on a network.  But if they are sitting outside my condo, and see my network SSID, they might just decide to take advantage of it.  

    And if I’ve had some problem where I’ve had to reset my wireless router, and have forgotten to enable encryption, or if I’m like my neighbor, who doesn’t seem to know anything about encryption, then I’m in trouble.  

    Can someone address the question of performance?  Does broadcasting or not broadcasting the SSID affect performance?  I can pick up, no kidding, 10 different SSID’s from my neighbors.  Don’t their SSID broadcasts increase the interference to my signal?

  26. Anonymous says:

    Mito ou verdade: esconder o SSID deixa sua rede WiFi mais segura?

  27. Anonymous says:

    Mito ou verdade: esconder o SSID deixa sua rede WiFi mais segura?