You turn off the broadcasting of the SSID your devices won't connect.

Not true because I know what my SSID is so I can enter this into my devices.

The SSID beacon tells the wireless devices of what channel to use etc, so without that nobody will be able to connect.

Precisely - only those that know the SSID and password will be able to connect. Anyone not seeing the SSID wont even know it exists.

In reply to a post by Spuriousfish:

You turn off the broadcasting of the SSID your devices won't connect.

Not true because I know what my SSID is so I can enter this into my devices.

For it to work you would need to know what channel for it to use as well, I know I tried it and it failed to work and all devices that was connected lost their connection.

In reply to a post by Spuriousfish:

The SSID beacon tells the wireless devices of what channel to use etc., so without that nobody will be able to connect.

Precisely - only those that know the SSID and password will be able to connect. Anyone not seeing the SSID wont even know it exists.

Well that's not fully true either, anyone monitoring the Wi-Fi channels (using certain software) will see devices communicating to an unlisted Wi-Fi point and would show both the MAC addresses for the Wi-Fi Point and the wireless devices.

I can connect to a Wi-Fi point using its MAC (not using the SSID) and password (assuming I was able to get the password, which isn't that hard to do with the right tools), so hiding it doesn't stop anything apart from the less technical people.

Do forget the SSID itself is only so that the user knows its the correct Wi-Fi Point (unless somebody sets theirs to the same name) I have seen some of those.

The beacon that is broadcasted contains the SSID along with all the required information to enable the device to connect, like the channel and possibly the encryption it uses etc, without that and it may have issues connecting.

Paul

For it to work you would need to know what channel for it to use as well, I know I tried it and it failed to work and all devices that was connected lost their connection.

Nope, never been asked for a channel number and I have plenty of different devices that I've connected up and they stay connected.

As for the rest - yes - nothing is impossible with the right tools but I'm mostly interested in keeping out those who don't know what they are doing and who may inadvertently do damage to my network. So it's just family and trusted friends on request.

Our course using the correct tools means being able to detect a wifi signal and this is unlikely as my house is very well screened and a long way from the road and neighbours. And no one is going to do anything like that inside the house.

In reply to a post by PaulKirby:

In reply to a post by Spuriousfish:

You turn off the broadcasting of the SSID your devices won't connect.

Not true because I know what my SSID is so I can enter this into my devices.

For it to work you would need to know what channel for it to use as well, I know I tried it and it failed to work and all devices that was connected lost their connection.

It sounds to me like something's broken. You certainly don't need to tell clients which channel a network with a hidden SSID uses.

I run a number of sites which have multiple SSIDs - for public wifi, admin and credit card processing. The latter two are hidden, simply because it makes it easier for guests to choose the correct wifi network. There's never a problem connecting to hidden SSID networks with Windows, Mac and PDQ terminal devices. You certainly can't specify a wifi channel on the PDQ terminals and to do that on a Mac you have to use command line tools - which I've never needed.

In reply to a post by Spuriousfish:

For it to work you would need to know what channel for it to use as well, I know I tried it and it failed to work and all devices that was connected lost their connection.

Nope, never been asked for a channel number and I have plenty of different devices that I've connected up and they stay connected.

As for the rest - yes - nothing is impossible with the right tools but I'm mostly interested in keeping out those who don't know what they are doing and who may inadvertently do damage to my network. So it's just family and trusted friends on request.

Our course using the correct tools means being able to detect a wifi signal and this is unlikely as my house is very well screened and a long way from the road and neighbours. And no one is going to do anything like that inside the house.

Ok, I did some digging of my datasheets / specs etc, and yes, you are correct about the disabling the beacon, also known as Network Cloaking, but that's is very dangerous, it puts your client device at risk.

Security of SSID hiding

As a purported security enhancement, some access points allow a user to inhibit the broadcasting of their SSIDs, a tactic known as network cloaking; a station may then only join a BSS after the associated SSID has been specified explicitly.

This tactic acts as a deterrent to the extent that it impedes casual wireless snooping but useless against widely available network scanners.

Network cloaking is a form of security through obscurity and offers no protection against even the most basic attacks against a wireless network.

Furthermore, the technique of SSID hiding forces wireless clients to probe for SSIDs everywhere they go which makes them vulnerable to attackers who emulate the probed network.

Client side SSID probing is far more dangerous than base station side beaconing.

Also if your "house is very well screened and a long way from the road and neighbours." then why disable the broadcast beacon.

Don't get me wrong, I am all for making it as hard as you can for the hacker to get in, but they will just end up putting it down as a challenge.

Paul

In reply to a post by caffn8me:

In reply to a post by PaulKirby:

In reply to a post by Spuriousfish:

... nested quotes trimmed ...

Not true because I know what my SSID is so I can enter this into my devices.

For it to work you would need to know what channel for it to use as well, I know I tried it and it failed to work and all devices that was connected lost their connection.

It sounds to me like something's broken. You certainly don't need to tell clients which channel a network with a hidden SSID uses.

I run a number of sites which have multiple SSIDs - for public wifi, admin and credit card processing. The latter two are hidden, simply because it makes it easier for guests to choose the correct wifi network. There's never a problem connecting to hidden SSID networks with Windows, Mac and PDQ terminal devices. You certainly can't specify a wifi channel on the PDQ terminals and to do that on a Mac you have to use command line tools - which I've never needed.

Yeah, I was wrong, I know I did try it a while back, so maybe I did something wrong.

Its still not a good thing disabling the broadcast beacon though due to the client has to do loads of probing of the SSID where ever they go, so Wi-Fi sniffers would see those and a hacker / script kiddie "could" pretend to be that actual access point and they would have your password then.

May it is just me being paranoid in my old age LOL

*** update in bold ***

Paul

Edited by PaulKirby (Tue 25-Oct-16 10:31:56)

The reason I do this now, even though its hard to see my wifi anyway, is for a couple of reasons.

Firstly, 'cos I can - but also I used to live in a much denser area and could see lots of other peoples wifi and in those days it wasn't hard to guess passwords and use someone else's connection, which I did but not for any malicious reason, just to get an Internet Connection when not at home. So I turned miy SSID Broadcast off.

Secondly, there are still people who come to the house with the ubiquitous smart phone, whom I wouldn't trust to operate a wireless doorbell let alone connect to my wifi, and it stops the embarrassment of saying sorry I wont let you connect. They see no signal and don't bother.

To be honest why anyone would want to go to any effort to connect to my home network has a low probability but I might as well make it as hard as possible for minimum effort.

In respect of Client Probing, and if I understand this correctly, this is not relevant in this case because this is my home network and any valid wifi device I own in this house will connect to my network anyway.

Again if I've understood this correctly, Client Probing is what things like smartphones do when roaming. They broadcast all the saved SSID networks they've connect to just to see if there is one within range which they can connect to. This can be picked up and a history of where that smartphone has been can be determined. Disabling the Broadcast SSID on my own home router will not affect this. But as a further point I periodically 'forget' all the stations that I've connected to when traveling.

It's not perfect but easy to do and causes no problems.

I will post a better response later, but most of what you had said here is not correct.

The client connects into the SSID. The channel does not matter. The MAC of the AP does not matter. With a hidden SSID, as long as you type the SSID into your device it will find the channel and connect in. In retail they often have hidden SSIDs and then 20+ APs around the store, all on different channels, and things like in-store ipads and screens connect in.

You cannot connect based purely on MACs you need the SSID.

You can easily guess the SSID by running something such as airodump.
e.g.
http://asdf.bligoo.com/media/users/1/77569/images/pu...

See the probes at the bottom. These are clients in range, such as an iphone nearby, and you can see they are looking for XPA, cpereira, Defran etc... So if an SSID was hidden, as an attacker, I could identify the likely SSID names by seeing what devices near to me are probing.

Probing is basically the iPhone, laptop etc going out and saying "I have the following SSIDs stored, I am looking for SKY82065, TALKTALK284563, The_Cloud" and you can see every probe it makes. So eventually it will probe for that hidden SSID. Anybody can sit and watch the WiFi traffic and see every probe every device in range is making. E.g I could sit and see the probes coming from a neighbours iPad without knowing their WPA2 password, the probes are just freely sent.

Work out the probes which match SSIDs you can see in range, note down the ones which do not match with ones in range. The hidden SSID will be one of these.

You can even send deauthorisation requests to the hidden SSID WiFi, which will kick everyone off the WiFi point, at which stage you will see multiple clients all probing that hidden SSID name.

Edited by ukhardy07 (Tue 25-Oct-16 13:56:45)

In reply to a post by Spuriousfish:

The reason I do this now, even though its hard to see my wifi anyway, is for a couple of reasons.

Firstly, 'cos I can - but also I used to live in a much denser area and could see lots of other peoples wifi and in those days it wasn't hard to guess passwords and use someone else's connection, which I did but not for any malicious reason, just to get an Internet Connection when not at home. So I turned miy SSID Broadcast off.

Secondly, there are still people who come to the house with the ubiquitous smart phone, whom I wouldn't trust to operate a wireless doorbell let alone connect to my wifi, and it stops the embarrassment of saying sorry I wont let you connect. They see no signal and don't bother.

To be honest why anyone would want to go to any effort to connect to my home network has a low probability but I might as well make it as hard as possible for minimum effort.

In respect of Client Probing, and if I understand this correctly, this is not relevant in this case because this is my home network and any valid wifi device I own in this house will connect to my network anyway.

Again if I've understood this correctly, Client Probing is what things like smartphones do when roaming. They broadcast all the saved SSID networks they've connect to just to see if there is one within range which they can connect to. This can be picked up and a history of where that smartphone has been can be determined. Disabling the Broadcast SSID on my own home router will not affect this. But as a further point I periodically 'forget' all the stations that I've connected to when traveling.

It's not perfect but easy to do and causes no problems.

While I agree with most of that, I don't think that you understand the "Client side SSID probing", if you don't leave your home at all with said Wi-Fi device i.e. Smart Phone etc then you will be ok some what.

How ever if you go out with said smart phone with the Wi-Fi still enabled then you "could" get into problems.


Client side SSID probing is an issue due to the smart phone has to probe the SSID to every channel until it gets a response, in most cases it would be the correct one.

No say you go out and some not so nice people setup loads of Wireless monitoring points all over the place and some of them detect your smart phone probing all channels your SSID due to it cannot find it, now those not so nice people now have your SSID, they can then set one of their Wi-Fi Access Points to use that SSID, you phone sees it and tries to authenticate with it, now they have your SSID and your Password and if you are in an area close to your home it becomes worse.

There is also nothing stopping one of your untrusted friends from running an app that monitors Wi-Fi network headers and pick up your smart phone talking to your Wi-Fi Access Point and then turn his device into an access point with your SSID with a result of getting your SSID and Password.

That's what I was getting at.

Also most wireless devices will try to connect to the strongest signal with that SSID so if there was your one and another one in your untrusting friends bag closer to you, there is a very good chance your smart phone will try theirs first.

Also there are directional Wi-Fi antennas out that that are very good picking up very weak signals.

Like I said maybe I am getting paranoid in my old age LOL.

In my eyes seeing just an SSID over retrieving a SSID and password, I know which one I would prefer.

Paul

In reply to a post by ukhardy07:

I will post a better response later, but most of what you had said here is not correct.

The client connects into the SSID. The channel does not matter. The MAC of the AP does not matter. With a hidden SSID, as long as you type the SSID into your device it will find the channel and connect in. In retail they often have hidden SSIDs and then 20+ APs around the store, all on different channels, and things like in-store ipads and screens connect in.

You cannot connect based purely on MACs you need the SSID.

You can easily guess the SSID by running something such as airodump.
e.g.
http://asdf.bligoo.com/media/users/1/77569/images/pu...

See the probes at the bottom. These are clients in range, such as an iphone nearby, and you can see they are looking for XPA, cpereira, Defran etc... So if an SSID was hidden, as an attacker, I could identify the likely SSID names by seeing what devices near to me are probing.

Probing is basically the iPhone, laptop etc going out and saying "I have the following SSIDs stored, I am looking for SKY82065, TALKTALK284563, The_Cloud" and you can see every probe it makes. So eventually it will probe for that hidden SSID. Anybody can sit and watch the WiFi traffic and see every probe every device in range is making. E.g I could sit and see the probes coming from a neighbours iPad without knowing their WPA2 password, the probes are just freely sent.

Work out the probes which match SSIDs you can see in range, note down the ones which do not match with ones in range. The hidden SSID will be one of these.

You can even send deauthorisation requests to the hidden SSID WiFi, which will kick everyone off the WiFi point, at which stage you will see multiple clients all probing that hidden SSID name.

What I was getting at is when you disable the broadcasting of the beacon, the devices that are connecting to it has to probe every channel until it gets a response from the access point in question.

There is no reason that a person cannot monitor that actual client device probing the channels to find the access point.
And once that person sees the SSID name that the client device is sending on all channels, they only need to then setup a temporary access point with that SSID and the client device will try and authenticate with that, which will result in the password being discovered.

That's what I was on about, you gain nothing from hiding your SSID, only thing is when the client device is setup to connect using SSID + Encryption Type its not that hard to spoof that SSID and fool that device from connecting to you and when it tries to authenticate the custom written app spoofing the SSID will have their password.

In my eyes I would prefer to give out my SSID rather than to not knowingly give out my SSID and my password.

Paul