Hiding a Wi-Fi network is worse than Security Theater

Last month, I spent a lot of time looking at Wi-Fi protocols, and in particular at the privacy implications of Wi-Fi on mobile devices. The main privacy issue with Wi-Fi the use of “worldwide unique” MAC addresses, which enable really efficient tracking of devices and their owners. The industry is starting to address this. But a close second is the practice of “hiding the SSID,” in a misguided attempt at increasing a network’s security. The idea was to hide the name of your Wi-Fi network from people in your neighborhood. The effect is to have your phone broadcast the name of the network every few minutes, negating any privacy gain from techniques like MAC address randomization.

When you setup a Wi-Fi network, you are supposed to use the management interface of your router and assign a name to the network. (If you don’t do that, you get a default name like “linksys” or “D-Link”, which is not a very good idea.) For example, I gave to my network the name “9645NE32.” In the standard Wi-Fi setup, the wireless access points broadcast their availability by announcing their name, their SSID in Wi-Fi standard jargon. These broadcasts are captured by your device, and presented in the menu of available networks. When you want to connect to a network, you pick a name in the menu and you get connected. In many cases, the device will remember the networks that you connect to, and reconnect automatically when the network is in range. Life is good.

In the early days of Wi-Fi, some people were very concerned that outsiders would try to connect to their network. They looked for a way to “hide” the network, so the name would not appear by default in the connection menus of phones or laptops. Access Point manufacturers obliged, and provided a setting to “not broadcast the SSID.” In order to connect, the users cannot just click. They will have to manually enter the name of the network on their device. In short, the name acts as some kind of password. If you don’t know it, you cannot enter the network. It seemed like a good idea, an extra layer of security. The problem is, it is at best a very weak protection, analogous to sending a clear text password over the radio. And it allows for very efficient tracking of devices.

In the previous paragraph, I wrote that the access points broadcast their presence, and that the devices listen to these broadcasts. They do, but if the device only listened to broadcast data the discovery would be very slow. Access points operate on specific frequency bands, the Wi-Fi channels. The precise number of available channels varies from country to country, but you can count 3 or 4 popular channels at 2.4 GHz, and maybe 20 channels at 5 GHz. A device only listens to one channel at a time, and an access point only broadcast at fixed intervals. Passive discovery would involve listening on a channel for 2 or 3 broadcast intervals, then switching to the other channel and repeating. Very slow, and also power consuming since the receiver has to be active for long periods. Instead of passive listening, devices accelerate the process by sending “probes.” They will switch to a channel and send a probe messages asking “is there anyone here?” The access point that receives the message is supposed to answer immediately, “Yes, I am serving network SO-AND-SO.” Since the response is almost immediate, the device need only wait a short time to find out whether there is an access point serving the channel or not. It can then move to the next channel, repeat the process, and so on until all channels have been scanned.

In the case of hidden networks, things become a bit more complicated. The access point does answer the probes, but with a cryptic message, “Yes, I am serving some network on this channel but I won’t tell you which one.” That way, the network name is not broadcast and does not end up in the connection menus. The user will enter the network name, and at that point the device will send a new probe, one that includes the network name, “are you network SO-AND-SO?” If the name is indeed that of the hidden network, device and access point will establish the connection. Of course, users don’t want to be always entering the network name in the connection dialog, so the device’s software remembers that. It will start systematically probing for the hidden networks to which it might connect.

The problem of course is that the probing traffic can be listened to by anyone with a Wi-Fi sniffer. A sniffer near a hidden network will of course discover the network name, just by listening to the probe traffic. An active sniffer might emulate an access point to trick local devices to send probes, for very quick discovery. So much for the “Added security part.” But it gets worse. When you go to a café, to a hotel, to an airport, in fact pretty much anywhere near a Wi-Fi network, your device will keep sending these probes. “I am looking for network SO-AND-SO, are you it?” Nice way to follow you around, isn’t it?

In short, hiding the network name has no security benefit, and has a clear negative effect on privacy. It probably also open the door for instant attacks, in which access points are programmed to automatically spoof the hidden network and trick devices into attempting to connect. In short, it is a very bad idea, worse that Security Theater. If someone reads this and stops, I would be happy!


About Christian Huitema

I have been developing Internet protocols and applications for about 30 years. I love to see how the Internet has grown and the applications it enabled. Let's keep it open!
This entry was posted in Uncategorized. Bookmark the permalink.

13 Responses to Hiding a Wi-Fi network is worse than Security Theater

  1. A New Friend says:

    This is a great post. I pay a lot of attention to issues of security and privacy, but I did not know about this part of the WiFi protocol. You have my attention! I have 2 questions, or rather, a point of clarity and a question.

    1) Just to be clear, let’s say I have 2 networks at home, and their SSIDs are OOO and HHH; OOO uses open public SSID and HHH uses a hidden SSID. If I connect my mobile to both networks at home, then I go out in public, are you saying that only my HHH network will be sent out in “probes”, but not OOO?

    2) I think most people will equate this with all the tracking these days on mobile devices, and that is certainly the biggest concern, given that they are so mobile and nearly always on. But if this is part of the standard WiFi protocol, then laptops would be just as vulnerable, right? As soon as you open your laptop at a public cafe, is it sending these same probes?

    • On point 1, it depends. In theory, only the hidden network HHH should be probed. In practice, some systems may have bugs.

      On point 2, yes this goes for laptops as well.

      • A New Friend says:

        Thanks for your reply. I’ll be doing some research in the coming weeks to understand how my particular devices behave. Specifics, bugs and/or other anomalies are worth understanding.

        “If someone reads this and stops, I would be happy!”

        There’s a good chance I may make these changes, but I’ve already made procedural/behavioral changes! So you can be happy about that.

        Still want to consider things like how un-hiding SSIDs might affect other types of usage, such as Google/Apple and their mobile clients using wireless AP data for location purposes. Will be looking into various things like that, but this is a good start. Thanks.

  2. Randy says:

    The benefit of hiding the SSID is small: it avoids unsophisticated neighbors attempting to gain access to your network.

    You’re saying the risks are twofold: easier tracking of your mobile devices (assuming the SSID is rare) and easier spoofing of your network by a rogue AP in an attempt to gain your credentials and/or to have you join it and thus have easy access to perform man-in-the-middle attacks?

    • Yes. If the hidden network security is based on passwords, the rogue AP can mount a simple attack. Send a challenge, get the response, and using a dictionary search crack the password.

  3. Randy says:

    Even if the rogue AP cracks the password for the Wi-Fi network with the hidden SSID (call it the house Wi-Fi), the attacker doesn’t know where the house Wi-Fi is, and so can’t make use of this knowledge. I thought the risk was that the rogue AP can pretend to be the house Wi-Fi, tricking the mobile device into joining it (it will accept any password), and perform MITM attacks against the mobile device’s traffic.

    • Sometimes the attacker knows where the “house” wi-fi is, think about using this technique to retrieve the password for the corporate network of your neighbour, who of course brings back his laptop and other corporate-connected devices at home. And you certainly know who he is working for…

  4. Pedro Lereno says:

    Thanks for this great article!
    I agree that hiding the SSID is no security measure, but relating to privacy issues, the mobile devices that I have in my network if not connected to our corporate wlan, are always probing the last 7 or 10 SSIDs that were connected before (hidden or not hidden).
    Do they probe more if the SSID were hidden?
    So, in my opinion hiding the SSID could be worse for roaming purposes, but not worse for privacy. The probe “feature” is related to the device software and not the wireless lan.
    Pedro Lereno

    • I cannot tell for every mobile device, but I verified what happens with Windows 10, using a wireless scanner to see the packets being sent over Wi-Fi. If you do not configure any “hidden network,” the probes do not contain any network name. What are the devices publish the “last 7 or 10 SSIDs” regardless of hidden or not? That sounds like a bug.

      • Pedro Lereno says:

        Essentially Apple IOS and Android devices. I have packet captures that confirm that.
        Some time ago, I have heard from an Apple representative (not sure if official position from Apple): “it is not a bug, but a feature to better connect to a previous connected network”.
        So, in the design of ours wlans, we invite BYOD devices to connect to a contained guest network to not “pollute” our wireless environment sending probes.

      • See reply to Marcus Welby’s comment. There were indeed bugs that caused SSIDs to be sometimes included in probes. These bugs have been fixed, or are being fixed.

  5. Marcus Welby says:

    “When you go to a café, to a hotel, to an airport, in fact pretty much anywhere near a Wi-Fi network, your device will keep sending these probes. “I am looking for network SO-AND-SO, are you it?””
    this makes it sound as is not hiding the ssid will prevent these probes, but it does not prevent them at all, the signals are sent regardless if your home has a hidden SSID or not so it is not doing harm to hide the network name.

    • Marcus, you are both right and wrong. You are right that many devices will just broadcast the list of SSID they look, whether these are hidden or not. But where you are wrong is that this broadcast is a bug, not a feature. It was in fact one of the many privacy bugs reported by Mathy Vanhoef et al. in their paper “Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms”
      I remembered discussing this bug with the Windows Wi-Fi team when I was working at Microsoft. It was traced to a detail of the Wi-Fi driver specification.

      The basic Wi-Fi driver spec at the time meant to say “do not broadcast the SSID in the probes”, and that was the behavior of the system when it was directly controlled by the CPU. But when the system was in sleep mode, the connection logic was offloaded to the Wi-Fi card. The system would tell the card something like “if you find one of these SSID, please wake the CPU so it can immediately connect.” The card vendors pointed out that they did not know which of the SSID were hidden and which were not, so they just included in the probe every SSID that they knew about. The fix was simple: add an hidden/not hidden flag to each SSID in the list passed by the operating system to the driver, and then make sure that the drivers only included the hidden ones in their probes.

      So, yes, you are right that in the old days, the probes might contain lists of all SSIDs, whether they were hidden or not. But this was a bug. It has been fixed in Windows 10, and probably in other operating systems as well. Once the bug is fixed, the probes only contain the list of the hidden SSID.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s