NCSAM/2011–Post 6–Don’t disable SSID broadcast
The check-box is there on every wireless (or Wi-Fi) router I’ve ever seen:
Often the implication is that this is some kind of security option. Sometimes, articles in news outlets will even tell you that it is a security option worth setting!
[The SSID – Service Set IDentifier – is essentially the name of your router – or, more precisely, the name of one set of configuration at your wireless router to which you allow computers and other devices to connect]
As with many security options that involve a check-box that sounds like “less secure” versus “more secure”, it’s worth knowing what the two options do.
With SSID Broadcast Enabled
If you enable SSID Broadcast, your wireless router will occasionally broadcast its presence and its name – for instance, mine will clearly tell all computers in range that it is called “texis”.
This invites connections – but only from people who can authenticate to the server over WPA2, using my choice of keying method.
With SSID Broadcast Disabled
If you disable SSID Broadcast, your wireless router will still occasionally broadcast its presence, but not its name. Depending on your operating system, this will result in some form of “Unnamed Network” connection being offered to you – and if you can name it, and provide it with the correct authentication, you can get online to that wireless setup.
So, Disabled means no one knows my router’s name, right?
Well, not really.
First, let’s look at your devices. Most users will want to configure their computers, laptops, or other Wi-Fi-capable devices so that they will automatically connect to their ‘home’ networks. This option, when enabled (and it’s often enabled by default) means that your devices will essentially spend most of their time when not at ‘home’ shouting out the names of the wireless networks they know but can’t see. Instead of one device in a fixed and protected location broadcasting the name of your network, you now have all your devices, while mobile (and in untrusted locations), broadcasting that network name.
Now, let’s look at the router. Wireless traffic is, by its very nature, always a broadcast stream. So, when a device tries to connect to that router, it’s going to send the SSID of the router it wants to talk to. Any attacker looking for your SSID will see this, just as easily as they would if your router was broadcasting it.
It might seem like there’s still an advantage, in that the SSID isn’t being sent out several times a minute, but only when a connection is needed. As with most such suggestions, it turns out that there’s a way for an attacker to get the information they’re after. All the attacker has to do is monitor a little bit of wireless communications between a device and its router, and then the attacker can inject a disconnection (“disassociation frame”) message, which makes the device try and reconnect, in order to read the SSID at any time it wants.
SSID is a name, not a security measure, for your network
Names are not by themselves authenticators, they are identifiers. They are a claim of identity, and not a proof. Never rely on the knowledge or obscurity of a name to protect you. SSID Broadcast is nothing more than the broadcast of a name. It is no more a security measure than hiding your house number would be.
Your protection for your wireless router and its traffic is the authentication and encryption protocol you use – WPA2 is generally the standard to use, or if you are in an enterprise, 802.11x is another means of ensuring that only valid computers and devices are allowed to connect.