Mobility Loop


Originally published by Mobility Loop.

Reposted with permission.

Copyright © 2006 Core Competence Inc.

All rights reserved.



SSID Broadcasts and Other Security Legends




Monday, October 31, 2005

Written by Lisa Phifer   

PhiferI’ve been reading about 802.11 wireless LAN security since early 2001. Over the years, much has changed. WEP hit the headlines and faded away, to be replaced by WPA in 2002, and then 802.11i in 2004. Yet, I continue to read many of the same security recommendations, some of which I find to be ill-advised. Today, a colleague forwarded me a corporate advisory for employees using wireless at home. Hidden among otherwise good advice was this chestnut: disable SSID broadcasts to hide your WLAN from war drivers.

Um, no. Disabling SSID broadcasts simply will not accomplish that feat. In fact, doing so will make your WLAN harder for legitimate users to access, and increase WLAN overhead. Why?

WLAN Access Points (APs) generate beacons to advertise their presence and capabilities. The name of that WLAN – the Extended Service Set Identifier (ESSID, or SSID for short) – is included in every beacon. This lets 802.11 stations easily connect to desired APs. Disabling SSID broadcasts does not prevent the AP from generating beacons; it merely omits the WLAN’s name from each beacon.

In this situation, stations must generate Probe Requests to search for an AP with the desired SSID. Any AP that receives a Probe Request is required to send a Probe Response that carries its SSID. Thus, stations can determine the SSID anyway, but they now must send extra messages to do so.

If the AP should refuse to respond to Probe Requests for "any" SSID, stations must be configured with the right SSID to connect. Even in this case, an attacker can easily capture packets and extract the SSID from valid Associate Requests and Responses. You have just added administrative effort to configure SSIDs into every station.

In short, it is impossible to HIDE your WLAN’s ESSID. Those who advise disabling SSID broadcast apply this rationale: Basic stumblers, often used by war drivers, rely on beacons to display an AP’s SSID. True. But war drivers are hardly limited to using basic tools, and there are dozens of readily-available tools (shareware and commercial) that will display the SSID of an AP without depending on beacons.

Now, I have nothing against security measures that simply raise the bar. For example, MAC Address Access Control Lists (ACLs) in home WLANs can reduce accidental associations. So will WEP encryption. Neither measure is robust – far from it. MAC address spoofing is trivial and WEP keys are easily cracked. But home users who want to avoid being the lowest hanging fruit on the vine can use these. Doing so adds modest set-up effort in a home WLAN with one AP and a handful of stations, and does not significantly impede legitimate WLAN operation.

Many pundits categorize MAC ACLs and WEP as security myths, and strongly advise against using them. I understand why. However, given a choice between no security whatsoever and these admittedly-weak measures, I still recommend them in home WLANs where risk and budget are low. I also emphatically encourage all WLAN owners, especially business WLAN owners, to adopt stronger alternatives like 802.1X, WPA, or WPA2/802.11i.

In practical terms, security is often about balancing risk and reward. I do NOT recommend using static WEP or MAC ACLs in a large WLAN; administrative overhead would be onerous, and risk of compromise far too high to justify that cost. Which brings us back to that old debate about SSID broadcasts. In my view, the performance and administrative impact of disabling SSID broadcasts nearly always outweighs its benefit.