Christian Huitema's blog

Cloudy sky, waves on the sea, the sun is

Hiding a Wi-Fi network is worse than Security Theater

11 Aug 2014

Last month, I spent a lot of time looking at Wi-Fi protocols, and in particular at the privacy implications of Wi-Fi on mobile devices. The main privacy issue with Wi-Fi the use of "worldwide unique" MAC addresses, which enable really efficient tracking of devices and their owners. The industry is starting to address this. But a close second is the practice of "hiding the SSID," in a misguided attempt at increasing a network's security. The idea was to hide the name of your Wi-Fi network from people in your neighborhood. The effect is to have your phone broadcast the name of the network every few minutes, negating any privacy gain from techniques like MAC address randomization.

When you setup a Wi-Fi network, you are supposed to use the management interface of your router and assign a name to the network. (If you don't do that, you get a default name like "linksys" or "D-Link", which is not a very good idea.) For example, I gave to my network the name "9645NE32." In the standard Wi-Fi setup, the wireless access points broadcast their availability by announcing their name, their SSID in Wi-Fi standard jargon. These broadcasts are captured by your device, and presented in the menu of available networks. When you want to connect to a network, you pick a name in the menu and you get connected. In many cases, the device will remember the networks that you connect to, and reconnect automatically when the network is in range. Life is good.

In the early days of Wi-Fi, some people were very concerned that outsiders would try to connect to their network. They looked for a way to "hide" the network, so the name would not appear by default in the connection menus of phones or laptops. Access Point manufacturers obliged, and provided a setting to "not broadcast the SSID." In order to connect, the users cannot just click. They will have to manually enter the name of the network on their device. In short, the name acts as some kind of password. If you don't know it, you cannot enter the network. It seemed like a good idea, an extra layer of security. The problem is, it is at best a very weak protection, analogous to sending a clear text password over the radio. And it allows for very efficient tracking of devices.

In the previous paragraph, I wrote that the access points broadcast their presence, and that the devices listen to these broadcasts. They do, but if the device only listened to broadcast data the discovery would be very slow. Access points operate on specific frequency bands, the Wi-Fi channels. The precise number of available channels varies from country to country, but you can count 3 or 4 popular channels at 2.4 GHz, and maybe 20 channels at 5 GHz. A device only listens to one channel at a time, and an access point only broadcast at fixed intervals. Passive discovery would involve listening on a channel for 2 or 3 broadcast intervals, then switching to the other channel and repeating. Very slow, and also power consuming since the receiver has to be active for long periods. Instead of passive listening, devices accelerate the process by sending "probes." They will switch to a channel and send a probe messages asking "is there anyone here?" The access point that receives the message is supposed to answer immediately, "Yes, I am serving network SO-AND-SO." Since the response is almost immediate, the device need only wait a short time to find out whether there is an access point serving the channel or not. It can then move to the next channel, repeat the process, and so on until all channels have been scanned.

In the case of hidden networks, things become a bit more complicated. The access point does answer the probes, but with a cryptic message, "Yes, I am serving some network on this channel but I won't tell you which one." That way, the network name is not broadcast and does not end up in the connection menus. The user will enter the network name, and at that point the device will send a new probe, one that includes the network name, "are you network SO-AND-SO?" If the name is indeed that of the hidden network, device and access point will establish the connection. Of course, users don't want to be always entering the network name in the connection dialog, so the device's software remembers that. It will start systematically probing for the hidden networks to which it might connect.

The problem of course is that the probing traffic can be listened to by anyone with a Wi-Fi sniffer. A sniffer near a hidden network will of course discover the network name, just by listening to the probe traffic. An active sniffer might emulate an access point to trick local devices to send probes, for very quick discovery. So much for the "Added security part." But it gets worse. When you go to a café, to a hotel, to an airport, in fact pretty much anywhere near a Wi-Fi network, your device will keep sending these probes. "I am looking for network SO-AND-SO, are you it?" Nice way to follow you around, isn't it?

In short, hiding the network name has no security benefit, and has a clear negative effect on privacy. It probably also open the door for instant attacks, in which access points are programmed to automatically spoof the hidden network and trick devices into attempting to connect. In short, it is a very bad idea, worse that Security Theater. If someone reads this and stops, I would be happy!