Hidden SSID? Is it really hidden?


In the world of wireless network security, hiding your SSID might seem like an easy way to protect your WiFi network from unauthorized access. This approach of hiding an SSID provides a little more than a false sense of security. In my recent experience of debugging an issue with where random users could see these Hidden SSID’s, lead me to write a blog about why I personally believe it is not a great approach and I am open to opinions.

Let’s explore how Hidden SSIDs Works and understand with a real world example! 

When you configure your Access Points to hide the SSID/WLAN, you are essentially telling it to stop broadcasting the SSID name in the beacon frames. Under normal circumstances, An AP would periodically broadcast beacon frames containing, SSID Name, Channel, Security Capabilities etc. that helps a STA to choose among the broadcast SSID and associate to it.



With Hidden SSID enabled, the AP continues to broadcast beacon frames but removes the network/SSID filed for the respective WLAN. As seen in the capture below, the Beacon Frame shows the SSID field as Missing or Wildcard SSID and the length filed of the SSID is 0.

Beacon Frame:



This makes the network appear invisible to casual users looking at available WiFi networks on their devices. However, is it always true? 

When a device tries to connect to a hidden network it knows about, it sends out Probe Requests containing the SSID name. The AP then responds with a Probe response, confirming its presence. By looking at the Source Address of the Beacon for the Wildcard/Missing SSID and then the Source Address of Probe Response, one can easily tell that both are the just the same: 


Probe Request Frame: 


Probe Response Frame:



As shown above, probe requests and responses are transmitted in plain text, making them easily interceptable using basic tools like WiFi scanners, passive monitoring, and frame capture of Probe Request and Response frames. Recently, I observed hidden WLANs appearing on my Pixel-8 Phone, which made me question the very purpose of this feature. The phone was in a factory reset state and had no prior knowledge of the hidden WLAN. However, when a nearby device scanned for the hidden SSID, it started appearing in the network list. Although I couldn't click or connect to it, its presence was noticeable.



Hidden SSIDs represent a classic case of "security through obscurity" - an approach that provides more inconvenience than protection. While hiding your SSID might deter the most casual observers, it does nothing to prevent determined attackers from discovering and potentially!

Comments

Post a Comment

Popular posts from this blog

Understanding RSSI and LQI Metrics of IOT

Image
 In the rapidly increasing adaption of Internet of Things (IoT), understanding  the basics network performance metrics is crucial for building reliable and efficient systems. Two fundamental metrics that play a n important role in the IOT Device communication are the Received Signal Strength Indicator (RSSI) and Link Quality Indication (LQI). Let's dive deep into what these metrics mean and why they matter for IoT implementations. Received Signal Strength Indicator (RSSI) RSSI serves as a fundamental measurement of RF power received by a wireless device. What makes RSSI particularly interesting is that it measures all RF power in a channel, regardless of the source. This means it captures: Signals from IEEE802.15.4 transmitters Interference from Bluetooth devices WiFi signals Background radiations This comprehensive measurement makes RSSI an essential tool for Clear Channel Assessment (CCA), helping devices determine if a channel is free befo...
Read more

Understanding "Invalid FTE" Error with 802.11r Roaming

Image
 When investigating Fast Transition (FT) roaming issues in enterprise wireless networks, packet captures often hold the key to diagnosis. Let's analyze this specific roaming failure case where a client fails to roam from one access point to another. Problem Statement: Random Devices are facing FT roaming issue and requires reauthentication.  While the problem statement sounds easy, capturing roaming failures could be challenging when the problem is random/intermittent. It is also important to know where to capture; Remember CWAP Guidelines? For roaming we need to capture near multiple AP's.  In this case we used RUCKUS AP Remote PCAP feature to stream captures from multiple AP's to the Wireshark and Voila! We were lucky to capture the failure  use case.  Now lets see what does it look like: The packet captures shows us an "Invalid FTE (0x0037)" error. FTE stands for Fast Transition Element, a critical component of the 802.11r protocol that facilitates seaml...
Read more

Association Failures with Legacy Printers due to Management Frame Protection- A Technical Analysis

Image
 Let's understand first, what is Management Frame Protection? Based on the IEEE 802.11w amendment, Protected Management Frames (PMF), also known as Management Frame Protection (MFP), is a security feature that provides integrity protection for both unicast and broadcast management frames, while also encrypting unicast management frames in the same way as data to provide confidentiality. Without the Protected Management Frames feature, all management frames are sent unprotected in the open. Transmitting open frames makes connections vulnerable to attack. To leverage Protected Management Frames, both the AP and the STA need to be capable of using it, and it must be activated for each encrypted Wi-Fi network of the AP. If those conditions are met, Protected Management Frames are automatically invoked during client association. Understanding Management Frame Protection Failures MFP is one of the common challenge when working with legacy devices in modern wireless networks. My recent t...
Read more