16

I recall having read several articles online, and even passing along the advice, stating that disabling SSID broadcast is not only useless as a security measure but also harmful to the security of the client devices. The logic goes like this:

SSID Broadcasting On

  • Client devices passively listen for known networks.
  • Clients initiate connection when a known network is heard.
  • Attackers do not know what networks un-associated client devices are looking for.

SSID Broadcasting Off

  • Client devices must actively probe for known networks.
  • Client devices are advertising trusted SSIDs.
  • Attackers can capture trusted SSID info and use it to trick clients into connecting to a Rogue AP when they are not near the actual trusted network.

This seems a generally sensible supposition. However, I don't think I've seen any claims that take into account what happens when an attacker tries to impersonate a network without knowing other attributes of the network's security configuration - particularly, the encryption protocol or keys. The connection should, in theory, fail with protocol mismatch or bad key negotiation.

Given the above, it would seem to me that disabling SSID broadcast (while still not at all a reliable security mechanism) still has a net-positive impact on security - or net-neutral, at worst. Is there something I'm missing?

Iszi
  • 27,027
  • 18
  • 99
  • 163
  • 2
    What would stop an attacker from trying different combinations of the encryption protocol with the claimed SSID? – AdnanG Dec 10 '14 at 10:11
  • @AdnanG Perhaps nothing. But how is that substantially different from how they'd have to crack the same network otherwise? – Iszi Dec 10 '14 at 13:36
  • if the client connects to the rogue AP, they will authenticate with the actual SSIDs password. Attackers job is done for him. – AdnanG Dec 11 '14 at 03:48
  • @AdnanG That's impossibly simple. For that to be the case, the network would be equally weak against attackers who *aren't* spoofing the AP. – Iszi Dec 11 '14 at 05:22
  • 2
    @AdnanG: [The password is never transmitted](http://security.stackexchange.com/a/14294/8340). – SilverlightFox Dec 12 '14 at 13:19

3 Answers3

11

Take a look at the WiFi Pineapple, which is a wireless MITM impersonization device available for $100 plus shipping. The attacker pretty much only has to power it up and configure it, and it will start offering instant MITM attacks. If a mobile device is probing for an already-known open SSID, it will happily provide it with a working internet connection. It requires almost no skill to operate.

The key is that a client who trusts even a single connection to any open WiFi access point anywhere has placed themselves in a vulnerable position, and this is true whether or not you are broadcasting your SSID. The secure approach is to require credentials on your access points, and avoid being part of the problem for your clients. Whether or not you broadcast your SSID then becomes a matter of convenience for your users, and is not a matter of security.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • 3
    This does not answer the question. How will the client trust a connection to a Rogue AP, if it does not match the known properties of the original network? Example: Trusted Network with SSID "MyNetwork" uses WPA2 encryption with a PSK passphrase of "MyPassword". Rogue AP broadcasts the SSID "MyNetwork" but with no encryption, or uses WEP, or uses WPA2 with a PSK passphrase of "EvilPassword". When the client picks up the Rogue AP, shouldn't it drop the connection attempt when it encounters a protocol mismatch or incorrect PSK? – Iszi Dec 10 '14 at 07:38
  • 1
    You're correct, it will not connect if the encryption (and key) doesn't match; but it doesn't matter if the SSID was broadcast or not. My point is there is no way you can configure your SSID to fix a problem caused by clients that already trust "StarbucksFreeWiFi" (other than to not force your clients to use an unauthenticated wireless network connection.) – John Deters Dec 10 '14 at 13:39
  • 1
    Fair point, but other networks aren't part of the risk equation here. Assume the client devices are only configured to connect to my network. How is their security, or the security of my network, actually *harmed* by turning off SSID broadcast on the router? – Iszi Dec 10 '14 at 15:09
  • The question you seem to be asking presumes that SSID visibility *in isolation from everything else* impacts security, but it doesn't. It's only a factor in combination with an unsecured network, at which point it places any clients who trust it at risk. And that risk can be mitigated through use of a VPN, at which point you're karmically stealing free wifi from the attacker. – John Deters Dec 10 '14 at 21:03
  • 1
    That's exactly what I'm trying to determine - if an attacker gets only the SSID information of a trusted network, and the network is otherwise secured with encryption and a PSK not known to the attacker, is the SSID alone enough for the attacker to trick client devices into connecting to his Rogue AP? I've seen many posts about SSID hiding that say it puts clients at higher risk of connecting to spoofed APs, but they don't address what happens with encryption protocol/PSK mismatches when the attacker *only* has the SSID to work with. – Iszi Dec 10 '14 at 21:07
  • @JohnDeters, Doesn't answer the question. Yes we all know "the secure approach is to require credentials on your access points", but the whole point of this question is Does having broadcasting on *increase* the security of our setup? What about having it off? You stated that it makes no difference but didn't cite any reason to support that stand. Your conclusion (para 2 sentence 2) does not follow from the first half of your answer. – Pacerier Feb 16 '15 at 21:41
6

SSID Broadcasting On

  • Client devices passively listen for known networks.
  • Clients initiate connection when a known network is heard.
  • Attackers do not know what networks un-associated client devices are looking for.

Turing broadcasting on will not prevent all clients from actively scanning for known networks. This is implementation specific - for example, Windows XP is defaulted to only actively scan. Therefore your assumption that attackers do not necessarily know which networks are being sought is incorrect. It only applies if you connect with modern devices that passively scan networks for the visible SSIDs when they were configured.

SSID Broadcasting Off

  • Client devices must actively probe for known networks.
  • Client devices are advertising trusted SSIDs.
  • Attackers can capture trusted SSID info and use it to trick clients into connecting to a Rogue AP when they are not near the actual trusted network.

That is true as long as the network is open. A client will not be able to connect to a secured network with a different or no password.

This seems a generally sensible supposition. However, I don't think I've seen any claims that take into account what happens when an attacker tries to impersonate a network without knowing other attributes of the network's security configuration - particularly, the encryption protocol or keys. The connection should, in theory, fail with protocol mismatch or bad key negotiation.

The beacon frame, even when not broadcasting the SSID (i.e. SSID is sent in this frame as NULL) still details the network security configuration including encryption details.

Given the above, it would seem to me that disabling SSID broadcast (while still not at all a reliable security mechanism) still has a net-positive impact on security - or net-neutral, at worst. Is there something I'm missing?

Even if not broadcasting, sending a probe request with NULL as the SSID may cause the AP to reply with a beacon containing the SSID. Any road, as soon as a valid device needs to connect the SSID will end up being broadcast by the AP. I would say the only extra security offered is security through obscurity - it may make you feel better but it does not really make your network any more secure. The only negligible benefit is that your SSID will not be broadcast as often. On the flipside, an attacker may assume that this is a particularly sensitive network and spend more time targeting it.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
1

Client devices will actively probe known networks regardless if SSID broadcasting for that particular network is turned on or not. While a passive scan is theoretically possible, it is very seldom implemented. This is because the client needs to cycle through all channels, spending time on each channel to listen for beacons. This would increase the amount of time needed to connect to the AP.

I have used airmon-ng to monitor probe requests and so far, all my wireless cards do actively probe for known networks. Therefore, turning off SSID broadcasting should not increase risk.

More details : https://superuser.com/questions/128166/is-looking-for-wi-fi-access-points-purely-passive

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • This does not answer the question. How will the client trust a connection to a Rogue AP, if it does not match the known properties of the original network? Example: Trusted Network with SSID "MyNetwork" uses WPA2 encryption with a PSK passphrase of "MyPassword". Rogue AP broadcasts the SSID "MyNetwork" but with no encryption, or uses WEP, or uses WPA2 with a PSK passphrase of "EvilPassword". When the client picks up the Rogue AP, shouldn't it drop the connection attempt when it encounters a protocol mismatch or incorrect PSK? – Iszi Dec 10 '14 at 07:39
  • Also, while clients may technically be actively scanning the area, active scanning does not necessitate transmission of known SSIDs unless a network is particularly known not to include its SSID in the broadcast. – Iszi Dec 10 '14 at 07:40
  • Yep, it could send out a probe request to all APs in the area. However, most network cards will include the SSID name in the probe request. – limbenjamin Dec 10 '14 at 08:04
  • Ok. But I still don't understand how this is a significant risk, if the client will not connect to an improperly configured AP anyway. For that matter, if the new default is to include SSIDs in all probe broadcasts anyway, how is SSID hiding a bad thing? Certainly, there's no real advantage to it. But there's no impact to the security (perhaps some to usability, but that's not my question here) of the network or its client either. – Iszi Dec 10 '14 at 09:00