Welcome to our first blog post of 2020! Happy new year to all 🙂
We wanted to kick off this year’s first blog post covering how secure is a Hidden SSID. We have been into a few customer environments recently where they were hiding some of their SSIDs as they believed this was more secure.
Shout out to Mr. Andrew McHale for his explanation as to why we shouldn’t be hiding SSIDs:
“Some clients don’t probe for SSID’s, they rely on Beacons to decide what is available. If you hide the SSID in the Beacon then some clients won’t see SSID to connect to.
Others will try listening to beacons first and only probe if they don’t see the SSID they’re looking for. This wastes time.
On DFS channels the client has to listen for a Beacon or Probe Response before it probes itself. Normally Vocera clients always probe for the specific SSID we have programmed it for. But on DFS channels, to save that probing time, if we hear a Beacon supporting our SSID we will forego probing on that channel. If you hide the beacon we have to apply that extra 15ms for probing and dwelling on that DFS channel.”
To summarise what Andrew was saying there is that we should not be hiding the SSIDs as it can have a negative impact on client roaming & association.
Let’s now do some testing and see how secure it is to hide an SSID & what steps we have to do to be able to find what the hidden SSID name is – if that is even possible of course 😉
For our tests today I will be using my Mist AP41 – connected back to my Mist Cloud dashboard. The SSID we will be trying to find is called “Matts_Hidden_SSID”. I will also be using the WLAN-Pi & Wireshark to capture wireless packets.
Here is how my SSID is configured on My Mist dashboard – we can clearly see the SSID name and that I have selected to hide the SSID.
Next, let’s take a look at what wireless channels my AP is using in the 5GHz band so I can configure my WLAN-Pi to capture on those channels.
We can see in the above image that my AP is using a 40MHz wide channel & occupying channels 108 + 112. So we need to configure my WLAN-Pi to use those channels.
Now we have configured the WLAN-Pi to capture on those channels, I was ready to start capturing some packets.
Let’s take a look at some of the packets that were starting to come flooding in – I could see my other SSID “WiFi Ninjas” that I had not set to be hidden being broadcasted in the beacon frames but I could see that there was also another SSID coming from my Mist AP but we could not see the hidden SSID – still pretty secure at this point 😉
How about if we filter on probe responses only? By using this Wireshark filter: wlan.fc.type_subtype == 0x0005
Ooooh not quite so secure anymore is hiding the SSID? 🙂 We can quite clearly see in the SSID parameters the SSID name now! This didn’t take too much effort either did it? There are a few requirements that we need to meet though to be able to see the probe response.
I associated to the SSID whilst capturing the packets but if a client does not associate during your packet capture you won’t see the probe response so you might have to send a de-auth or something like that but that’s for another blog 😉
To summarise then, hiding the SSID is not only not secure, but it can also have a negative impact on roaming – next time I go to a customer site that has the SSID hidden, I will be sending them to this blog 😀
If you are new to Wireshark we did another blog last year on some useful filters which can be found here: https://wifininjas.net/index.php/2019/05/29/wn-blog-002-wireshark-filters/
I also have set up my own custom profiles, using a colour profile, my own custom columns & have added known devices MAC address to name profile so that’s how you can see “Matt_iPhoneX” instead of my MAC address. If you want any help with how to set up your Wireshark like this feel free to give us a shout and we will help you.
Hope you enjoyed the blog post 🙂
2 thoughts on “WN Blog 025 – Hidden SSIDs”
Very informative, thank you.
Can you say some useful practices for securing WiFi? Is it mandatory to use 802.1X infrastructure?
Great simple read. I think I need to get Wireshark out a bit more now, because that seemed simple.
Comments are closed.