Disabling the SSID

Many security experts think that broadcasting your SSID, which identifies your WiFi LAN to all of your wireless neighbors, creates a substantial security risk to your LAN. This concept is similar to the justification of stealthing your IP address, as I discussed in Security By Obscurity.

You can disable the broadcast of the SSID in the beacon. This will make your AP invisible, as long as there are no stations associating with it. As soon as any stations (wireless computers) associate with the AP, the SSID will be out there for everybody to see.

Associating with an AP, with SSID beacon disabled, can be done, as long as the SSID is known to the station wishing to associate. But the process is complex, and generates a lot of excess traffic. This traffic exposes your SSID even more than if you had been broadcasting the SSID in the first place.

Microsoft Wireless Zero Config does not support disabling the SSID in the beacon.

ICSA Labs did a detailed study of SSID disabling, and wrote a white paper Debunking the Myth of SSID Hiding exploring the pros and cons.

For more user friendly discussions, DSLReports Forums has 2 FAQs published – Disabling SSID, and What happens when I disable SSID Broadcast?, both discussing this topic.

And, as I said above, you can hide yourself, as long as there is nobody connecting to you. But what’s the purpose of having a AP with no clients? And as soon as you have clients, you’ll be visible again.

Only the truly lame script kiddies don’t know about NetStumbler. You won’t be invisible to NetStumbler.

Disabling SSID beaconing MAY make you invisible in normal WiFi client manager displays. There is an upside, and a downside, to this.

  • The upside is that your neighbour, who knows barely enough to find the Ethernet port (“big fat phone plug thingy”) on his cable modem, won’t know that you’re there. You’re safe from him trying to hack your WLAN.
  • The downside is that your neighbour doesn’t know that you’re there. If he picks the same channel that you’re using, and your bandwidth suffers because you have to share the channel, you can only blame yourself. Your neighbour will probably end up taking his WAP back to the store, because “it doesn’t work right”. That too will be your fault. He won’t even know that you’re in the area, and come ask for advice, because you’re “invisible”.

The reason for having channel number, and relative signal strength, displayed in the client manager displays is to allow you, when you setup your WiFi LAN, to pick a channel that is less used. If you can’t see the others on the channel, because they want to be invisible, how are you going to, reliably, pick a less used channel?

Did you ever see the movie The Invisible Man? What were some of the first things that Nick Halloway learned from experience?

  • Don’t wear clothes in public, if you want to be invisible.
  • Don’t expect folks not to run into you, if you want to walk around in a crowd.

If you think about it, both practices are pretty antisocial. Walking around naked, and walking around invisible, are not keeping to social norms. Neither is using WiFi “naked” (without proper security), or “invisible” (SSID beaconing disabled).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: