Why hiding your SSID makes your security worse

I got a couple of questions about my recommended DD-WRT settings, but I’m going to start with the question about why not to hide the SSID. It actually turns out that hiding your SSID is bad for you, and makes your security worse. I’ll explain.

First, let me explain that there was a time when we thought hiding the SSID helped. Sometimes things we thought helped turn out otherwise after a while. This is one example.

Here’s the problem. When you hide your SSID, your devices have to beacon out looking for it. So they do, and they don’t just beacon when you’re at home. They beacon out at work, at the coffee shop, at the airport and hotel, and wherever else you take your phone, tablet, and/or laptop. An attacker can detect that beaconing, then stand up an access point with that SSID, wait for your device to join, and then they can capture and analyze your traffic. At that point they can even get into your SSL/TLS sessions. If they make a few mistakes, you may notice you’re on the wrong network, but if they’re good, you won’t.

And at home, hiding your SSID really doesn’t do anything to protect your network anyway. It doesn’t slow down an attacker looking for a network to attack. If anything it calls attention to your network, which is something you don’t want to do. From where I’m sitting right now, I can see four networks. That means a bad guy sitting nearby has a 25% chance of picking my network to attack. If I’m hiding my SSID, I’m basically wearing a “kick me” sign, because the attacker is going to wonder what I have that’s worth hiding, or if I made other mistakes. So I end up with a 100% chance of being picked. And I don’t slow the attacker down either–the good tools see all the network traffic regardless of what they’re broadcasting.

What about keeping the neighbors out? Hiding your SSID makes it harder for your neighbors to find your network, but not necessarily impossible. Kali Linux is free, it runs well on a $35 used laptop, and there are tons of tutorials on Youtube that teach you how to use it to see invisible networks and hack them. Add a high-gain antenna and it’s possible to see networks on more than one street, too. Sophisticated attackers aren’t as rare as they were five years ago, and they’re becoming less rare all the time. A curious high-school kid can become sophisticated enough to be a legitimate threat over the course of a couple of weekends.

The technical means to keep nosy neighbors and miscreants out of your network are simple–use WPA2 and AES and a difficult password. Throw in a little psychology, and you can get rather good security, at least as far as your wireless networks go.

Hiding your SSID is a throwback to the turn of the century, when there was a philosophy to try to make your computer invisible. The idea was that you can’t hack what you can’t see. It’s a good theory, but in practice it turns out you can’t really make a computer invisible. Well, you can’t at least if you want to leave it in a state where you can actually use it.

The other philosophy that SSID hiding plays into is security by obscurity. There’s nothing wrong with throwing a bit of obscurity into the mix, but only if you’re not harming yourself by doing it. SSID hiding fails on both counts in this case. You can’t become obscure to the people who actually can harm you. Worse yet, you actually make the devices themselves less obscure by trying to hide the network, so you harm yourself when you travel.

There are some people who refer to SSID hiding as a myth, a mistake, or other negative terms. History is full of things that we thought, for a time, were good ideas and then we learned otherwise. Things like Halon, asbestos, and CFCs come to mind. This falls into that category. And let’s face it, most people don’t set a wireless network up very often. So that’s why this practice remains.

If you’re interested, here are some more tips about avoiding dangers of public wifi.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux